1

Google API expiration date is 1 hour, the problem is that I'm using the API in order allow users to use admin SDK features (List groups, add members to a group etc.)

No one can do any of that in one hour, that would require users to login to their accounts multiple times per day to manage their groups. A 1 hour expiration date is good if you just want to use Google to authenticate users.

How to increase that or is there any work around? Am I missing something?

Lynob
  • 4,483
  • 12
  • 55
  • 109

1 Answers1

7

Due to security reasons, you cannot change the duration of the access token's expiry. However, you can refresh an access token without prompting the user for permission if you requested offline access to the scopes associated with the token.

  • If you use a Google API Client Library, the client object refreshes the access token as needed as long as you configure that object for offline access.
  • If you are not using a client library, you need to set the access_type HTTP query parameter to offline when redirecting the user to Google's OAuth 2.0 server. In that case, Google's authorization server returns a refresh token when you exchange an authorization code for an access token. Then, if the access token expires (or at any other time), you can use a refresh token to obtain a new access token.
Jacque
  • 737
  • 4
  • 9
  • if I just do `$client->setAccessType('offline')`like here https://developers.google.com/admin-sdk/directory/v1/quickstart/php, everything should work fine? – Lynob Nov 20 '18 at 11:24
  • May I use the token in other parts of the app? Say I store it in mysql, and it expires, and then the user decides to visit the app 4 hours from now, I call google's client using the token that is stored in my db, does it recognize that it's an old token and refreshes it? – Lynob Nov 20 '18 at 13:16
  • `$client->setAccessType('offline')` should work. After a user grants offline access to the requested scopes, you can continue to use the API client to access Google APIs on the user's behalf when the user is offline. The client object will refresh the access token as needed. – Jacque Nov 20 '18 at 23:36