The 'flow' for OAuth2, involves getting the user to say 'yes this is OK'. The token that comes back is temporary.
But I'm trying to create a unattended service. Will the refresh token always work? I get the feeling that it too is going expire.
This depends on who is implementing OAuth2. In the description of the refresh token, the expiry is not discussed as part of the specification. The spec later goes on to state somewhat ambiguously that a value error of invalid_grant can be returned if:
The provided authorization grant (e.g. authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
This would seem to imply that it is possible for a refresh token to expire.
The document also mentions that it is possible to exchange "credentials with a long-lived access token or refresh token", thus grouping them into the same expiry class.
The latest version of the spec can be found at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2
As for the Google specific implementation
Refresh tokens are valid until the user revokes access.
The refresh token will be valid for all time, with the only exception coming when the user revokes that permission.
For Google OAuth2, a user can revoke permission either through a web GUI or using an OAuth revoke endpoint.