Will refresh token expire once 2FA is enabled-CodePudding

We generated a refresh token with the following C# code snippet:

public IActionResult GetGoogleToken()
{
    UserCredential credentials = GoogleWebAuthorizationBroker.AuthorizeAsync(
        new ClientSecrets()
        {
            ClientId = "CLIENT_ID",
            ClientSecret = "CLIENT_SECRET"
        },
        new string[] { GmailService.Scope.GmailReadonly },
        "user",
        CancellationToken.None,
        new NullDataStore()).Result;

    return Json(credentials.Token.RefreshToken);
}

Since then, we have been using it to fetch emails using Gmail API:

private async Task<GmailService> GetGmailService()
{
    UserCredential credentials = new UserCredential(
        new GoogleAuthorizationCodeFlow(
            new GoogleAuthorizationCodeFlow.Initializer
            {
                ClientSecrets = new ClientSecrets()
                {
                    ClientId = "CLIENT_ID",
                    ClientSecret = "CLIENT_SECRET"
                }
            }),
        "user",
        REFRESH_TOKEN
    );
    
    if (credentials.Token.IsExpired(SystemClock.Default))
    {
        if (!await credentials.RefreshTokenAsync(CancellationToken.None))
        {
            throw new Exception("Token could not be refreshed");
        }
    }

    return new GmailService(new BaseClientService.Initializer()
    {
        HttpClientInitializer = credentials,
        ApplicationName = "APP",
    });
}

My question is: Will the refresh token expire once we enable 2FA on the account? Is this behavior documented anywhere?

CodePudding user response：

You are confusing authorization and authentication.

The code you are using requests that the user authorize your application to access their gmail data.

This has nothing to do with authentication or signin. Authorization is not login.

2fa login is required by open id connect and signin. Again this is not related to your gmail consent. So no the user enabling 2fa will not effect your refresh token.

While for the most part even the user changing their password will not effect a refresh token. Gmail api scopes are a little different the refresh token will expire if the user changes their password.

CodePudding user response：

As per the official google documentation, that is not a valid reason for the refresh token to expire. It will expire if in case during the 2FA enabling process the user changes password and the refresh token has gmail scopes.