kvisnia
commented
5 years ago We know that the expiration time is relatively small, but since we don't have a revocation process for the Access token yet, it is the maximum it can be 2 min. As soon as we have a revocation process we will increase it.
Currently the access token generated via the
/tokenendpoint has a short expiration time. With that being said, consider increasing the expiration time to a value bigger than the currently implemented.Why increase the expiration time?
First of all, having a very short (2 minutes) expiration time for an access token seems a pretty bad idea to implement. Users need to be hammering the API every two minutes to get a refresh token. This seems unnecessary and impractical. Apart from the normal API endpoints that need to be consumed frequently, authentication flow needs to be a well performing part of the API in order to avoid performance bottlenecks. Both user experience as well as data consumption can improve by increasing the time allotted to the expiration of the access token.
How could that impact the security of the API?
Well, from a security standpoint, even if you had the expiration time set to 1ms still, you need to make sure that you have a very good implementation of the authentication mechanism in order to be certain that it is secure enough. Setting the expiration time to 2 minutes not only makes the process noisy for the network traffic but it doesn't provide necessarily 'additional' security as long as the implementation is correct.
Suggestion
I would suggest that you increase the token expiration time to provide a more smooth user experience as well as to rest assure that your application doesn't experience any overheads just from the token refreshing.
Please consider the following stackoverflow post. https://stackoverflow.com/questions/26048945/oauth-v2-google-api-expiry-access-token