When should an OAuth authorization code expire?

Question

I know that (when using the authorization code "Authorization code" in OAuth), the lifetime of an access-token should be short but the lifetime of a refresh token can be long. So I decided for my project:

• access-token-lifetime: 1 day
• refresh-token-lifetime: 30 days

But what is a typical lifetime of an authorization code? Am I right that it should be really, really short? Maybe like 1 hour or even only a few minutes?

I could not find any "best practice" for this..

Answer 1

All of this is standard but configurable i most identity / auth servers.

Authorization code

When the user consents an application accessing their data they are returned an authorization code. This code is only used its normally good for five minutes. anything lower than that would probably cause you issues with clock skew and there is really no reason IMO for it to be longer.

access token

Access tokens are returned after the authorization code has been exchanged. The access token. Access tokens are most often only good for 60 minutes.

Refresh tokens

refresh tokens are long lived tokens. The following are googles standard.

• Refresh tokens are good for six months but this time is sliding.
• If an refresh token has not been used for six months by an application then the access is revoked.
• A user can also revoke the access as well at anytime.
• depending upon the scope requested. Some refresh tokens expire after the user has changed their password

Again the above are just google standards. On the identity server I work on at work. I think the current settings is one month of non usage a refresh token expires.