Expiring RS OAuth tokens

Recently, there was some conversation about expiring RS OAuth tokens among server developers. I thought i miight be useful to bring that discussion and relevant updates over here, so it’s all in one place and new users and developers can find it, too.

There’s currently on open issue for php-remote-storage, in where @fkooman is proposing to always expire them after a certain period by default:

Over at 5apps, we’ve just implemented user-editable expiration dates for new authorizations, using some pre-populated values in a dropdown menu (“never” as default, “1 month”, “1 day”). It looks something like this:

While this seems like good UX in theory, I’m not yet certain that it is in practice. Also, aside from the other option choices, I’m wondering if “never” should even be an option in the first place. Any and all input and feedback would be very much appreciated!

mysteryshack does the same thing, with “never” as option.

Does 5apps really expire per-token or per-app? Are you still issuing one token per app?

It’s per authorization/token. We do issue one per app, yes.

So I guess the implications actually change based on the way one issues tokens.

I think it’s more useful to have one expiration date for each device (which implies issuing multiple tokens per app)

I’d be interested in how you identify devices exactly, and how to show users those device details to identify authorizations per device. Care to elaborate?

@untitaker I’d still be interested in how to do that exactly. Also, @fkooman is planning to add expiration choice to php-remote-storage 2.0, so maybe this could also be a change for that.

Just by issuing multiple tokens… every user has to auth for each device, and
for each auth you issue a new token.

Yes, I understand the concept of your idea, but not the technical details for:

That is, how do you know what a device is in the first place, and how do you name/identify it, both for later auth from the same device), and for what device details to show in the UI?

This is a hard problem to solve, so even Google (which btw is the only service I know which will even name my devices) gets it wrong for me sometimes.

I issue multiple tokens and those are my “devices”. There is no other way to
identify a device in a webbrowser other than with a cookie/session.

So the user has no way of identifying which token belongs to which device then? If so, I guess they’re all listed as one combined auth and all deleted at once?

Yes exactly, theoretically you can capture useragent like WhatsApp Web does.

Ok, I see. Thanks.