Use OAuth 2.0 tokens on your website, app, and servers

April 08, 2022

Share on Twitter Share on LinkedIn Share in mail
Link copied to clipboard

Posted by Peter Jacobsen, Technical Writer

OAuth 2.0 is an open standard authorization framework for token-based authorization on the internet. An OAuth 2.0 access token is a string that the OAuth 2.0 client uses to make requests to the resource server, and hides the user's identity or other information from the OAuth 2.0 client. Only use access tokens to make requests to the resource server.

Offline refresh tokens

Access tokens periodically expire and become invalid credentials for a related API request. If you requested offline access to the scopes associated with the token, you can refresh an access token without prompting the user for permission, even when the user isn't present.

As a best practice, set the expiration time for refresh tokens for a little longer than the access tokens. For example, if you set the expiration to 30 minutes for an access token, set the refresh token's expiration to 24 hours or longer.

For more information, see Refreshing an access token (offline access).

Online access

Some apps may request that the user reauthenticate after a shorter period of time, which relies on the access token alone rather than a refresh token. These apps have online access as opposed to those that have a refresh token and are considered to have offline access.

For more information, see Refreshing an access token (offline access) and Refresh tokens.

JSON Web Token (JWT) and token expiration

To authenticate to Cloud IoT, each device must prepare a JWT. JWTs are used for short-lived authentication between devices and the MQTT or HTTP bridges.

JWTs are composed of three sections: a header, a payload that contains a claim set, and a signature. The header and payload are JSON objects that are serialized to UTF-8 bytes and then encoded with Base64 URL encoding.

The JWT's header, payload, and signature are concatenated with periods. As a result, a JWT typically takes this form: 

{Base64url encoded header}.{Base64url encoded payload}.{Base64url encoded signature}

For more information, see Using JSON Web Tokens (JWTs) and Managing JWT token expiration.

Common token expiration paradigms

There are different policies and strategies that you can use to manage token expiration. You can:

  • Monitor your HTTP responses, look for 401 HTTP responses, and respond accordingly.
  • Check the token's expiration date proactively to determine the validity of the token before you make an HTTP request to the resource server.
  • Combine the previous two strategies to handle expirations where a valid token can expire during the request that causes a 401 HTTP Response.