OAuth 2.0: Access & Refresh Token Guide for Cloud Document Services

By Josh Wyse in GET/technical Posted Jul 15, 2014

OAuth is an open standard for authorization that uses access and refresh tokens. Access tokens are tokens developers send to gain authorization between the application and the endpoints as long as they are valid. Before the access tokens expire, refresh tokens are used to renew access again. In this post, we will review the access and refresh tokens for the five leading cloud document management services, BoxDropboxGoogle DriveOneDrive and SharePoint.

oauth2-bannerSince OAuth 2.0 is a new protocol, there aren’t defined standards for using access and refresh tokens. Without a defined standard for tokens, when developers integrate with multiple document management services they must keep in mind various expiration intervals to maintain access across the board.

Some document management services’ tokens expire in a matter of months and others never do. For example, Box’s access token expires after 1 hour while Dropbox’s never does. Whatsmore, finding information about expiration intervals is a taxing process; In researching this topic, it took much longer than expected to compile a list of this critical information.

Here are the OAuth access/refresh token expiration intervals for the five leading cloud document management services:

Box

  • Access token: 1 hour
  • Refresh token: 60 days (resets 60 days when retrieving new access token)

Dropbox

OAUTH 2.0
  • Access token: Forever 
  • Refresh token: N/A
Google Drive
  • Access token: 1 hour, from my experience, but it seems this can vary depending on the Google API (expires_in field is returned in JSON)
  • Refresh token: Forever
OneDrive
  • Access token: 1 hour
  • Refresh token: 6 months (Get a new one every time you call refresh)
SharePoint
  • Access token: 1 hour
  • Refresh token: 6 months (Get a new one every time you call refresh)

Cloud Elements uses OAuth 2.0 to interact with Elements in the Documents Hub during the provisioning process. We handle refreshing tokens for our clients, and have discovered how important it is as a developer to be mindful of these expiration intervals. We hope this information will make your integrations simpler and more efficient.

Check out our other developer blog posts, subscribe to our blog or find out what we do:


Get the definitive guide