How long is a refresh token valid?

sam_mcknight

With OAuth2 authentication, you receive an access token and a refresh token. I know the access token is valid for an hour and after it expires you use the refresh token to obtain a new access token. How long is a refresh token valid for before it is no longer valid?

I ask because per this article (https://community.canvaslms.com/t5/Canvas-Developers-Group/Working-with-Refresh-Tokens/m-p/84667#M1383) refresh tokens are permanent unless you go through the OAuth2 process again. However, I am running in to an error that seems to indicate that isn't the case. I haven't nailed down an exact timeframe but it seems to be about 24 hours after running through the initial OAuth2 process.

Error message: {"error":"invalid_grant","error_description":"refresh_token not found"}

matthew_buckett

Hiya,

We've developed several tools that request users grant access to their Canvas account (grant a refresh token) and in our experience we haven't found the refresh tokens to expire.

Could it be that your developer key has scoping enforced and you've recently changed the scopes you request for a token? This will cause Canvas to refuse an access token for a refresh token that had a smaller set of scopes.

And it's not that you're doing some development against the beta/test Instructure cloud instances and over the weekend they got re-synced with production and so lots the refresh token you'd setup?

Users can manually revoke their tokens through https://instance.instructure.com/profile/settings, are you still able to see the application listed on the user in questions profile?

Good luck finding the cause.

Matthew