Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.

Regarding google OAuth and Scaling web application

Hello everyone,
Basically I am a newbie who is trying to build some web app/tools on google workspace and I am in need of some serious help.
Context: I am trying to create an application like zapier, where users can signup via OAuth 2.0 so that I can interact with their google servies like calendar, mails etc and provide them services accordingly.
Problem: I want to publish my web app, and before doing that I have a lot of questions and doubts regarding it's scalability :-
1. For testing application refresh token expires in 7 days, so how long will a refresh token last on a  published web app ?
2. Can I set custom lifetime for refresh tokens generated via my client id (if yes, how) ?
3. I read that in google OAuth2, at a time it can have only 100 refresh tokens in circulation. Then how can I build an application that could cater to 1000-50,000 clients simultaneously where every individual will have his own set of tokens ??

It would be very grateful to anyone who could help me or guide me in right direction. 

Solved Solved
0 3 1,083
1 ACCEPTED SOLUTION

Yes, your unique client-id has a limit of 100 refresh tokens. But if the limit is reached, creating a new token will automatically invalidate the oldest refresh token without any warning.

If you want to scale up, you can use service accounts because they are not affected by the limit of 100 refresh tokens. There is also a larger limit on the total number of refresh tokens a user account or service account can have across all clients

View solution in original post

3 REPLIES 3

Hello @varunmukherjee5,

Welcome to the Google Cloud Community!

To answer your questions:

  1. When an application is published, refresh tokens expire indefinitely, there are only a number of reasons why the tokens might expire. Check Refresh Token Expiration to know these reasons.
  2. You can set a longer expiration time of refresh tokens through Apigee
  3. The limit is per user, meaning you can have thousands of users but each user can only have up to 100 refresh token per client ID. See Refresh Token Expiration

Let me know if it helped, thanks!

Thank you very much for you help @Marramirez.
But, can you please elaborate on your 3rd point, basically that's confusing me 😅.
Let me take an example to explain my problem: so let's say I register my web-app for O-Auth2 then I will get a unique 'client-id' and 'client-secret' as credentials. And what I infer from your text is that 'using my client-id and secret I can authorize 100 users (via OAuth2) and issue them refresh tokens'. Since I have only 1 pair of 'client-id and secret' then how can I scale my app for let's say 1000 users ?

Yes, your unique client-id has a limit of 100 refresh tokens. But if the limit is reached, creating a new token will automatically invalidate the oldest refresh token without any warning.

If you want to scale up, you can use service accounts because they are not affected by the limit of 100 refresh tokens. There is also a larger limit on the total number of refresh tokens a user account or service account can have across all clients