Short refresh token times


(Swizzles Saissore) #1

I’m currently getting refresh tokens with an expires in of only 1199. According to the oAuth RFC this is in seconds, meaning this is a little under 20 minutes.

Is it intentional to need to query the CCP server and constantly refresh tokens within this short of an interval? I’d love this see this time frame extended significantly.


(Mr Twinkie) #2

having long expire times kinda defeats the purpose of a refresh token?


(Blacksmoke16) #3

You are confusing the access_token with a refresh_token

An access_token is what is used to do auth’d requests with ESI, and yes the token is only valid for 20min. Once this token expires you can use a refresh_token in order to get a new access_token. refresh_tokens do not expire, unless the player manually revokes them on the support site.


(Swizzles Saissore) #4

They do expire or don’t expire?


(Blacksmoke16) #5

access_tokens expire after 20min.

refresh_tokens do not expire but can be revoked on the support site.


(Swizzles Saissore) #6

Thanks, that makes it slightly easier to grasp.

Still doing that query every 20 mins though, but at least we aren’t annoying the user so much.


(Blacksmoke16) #7

Yes that is how you would do it, use the refresh_token to get a new access_token as needed. Otherwise the user would have to login every 20min.


(Brock Khans) #8

In my opinion you only refresh when you need to, not just on a flat every 20 minute schedule. I store the expires time in epoch for each token which is tied to the specific character. When a request needs to be made I check if expires time is less than current time, and if so do a quick call to get a new access token.

Be prepared to catch 4xx errors, when a user revokes the token on the CCP side, your site will get an expired error with a 4xx code. I find it good practice to allow the “delete” option where you clear them from your DB, Cache and do the call to the revoke endpoint that removes the access for your site. That way, your site knows about the revoke, and you can remove them from your end.

Also 5xx code can be present when ESI is having issues.


(Swizzles Saissore) #9

Some good advice, thanks.


(system) #10

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.