oauth-2.0outlook-restapioutlook-calendarexpired-sessions

OAuth grant flow - tokens expiration


I'm developing an Android app that uses Outlook Calendar REST API. I'm trying to keep in synch and updated the calendars of multiple users (meeting rooms).

My questions are:

1) After how long does the initial authorization code expires?

2) And for the refresh token instead?

The access token expires after 60 mins. I can't get if for the refresh token expires after 6 hours, 14 days or 90 days.

3) Is the latter configurable? Can I make it not expire?

`

UPDATE: (from https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx)

"The lifetime of the refresh token is not provided and varies based on policy settings and the time when the authorization code grant is revoked by Azure AD. The application should expect and handle cases when the request for a new access token fails. In that case, it should return to the code that requests a new access token."

And also: (from http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx) "Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. The client application needs to expect and handle errors returned by the token issuance endpoint correctly. When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code."

So how can I guarantee that my App will always have all the users logged in?

It will be in airplane mode during the night and it should automatically recover from crashes as well. Can I solve without authenticating the users programmatically storing the credentials?

Thanks


Solution

  • Answers:

    1. few minutes. The exact value is an implementation detail and can change at any moment. You should do whatever you can to redeem the code as soon as you get it.
    2. see http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/
    3. as of today the lifetime limits cannot be changed. We are working on features that will grant you more control, but we have no ETA to share at the moment

    The only way of guaranteeing that a user is signed in is to successfully redeem a refresh token, or to go through an authentication flow. Use of cached credentials is restricted to very few cases, and will likely be disallowed in upcoming versions of the service.

    If a refresh token expires, you should plan to perform an interactive authentication. Note that the refresh token might also be invalidated by a consent revocation, which will mandate interactivity in all cases.