Does the refresh token change if a device falls offline

While working with the ecobee api we have noticed that if a device falls offline and is not able to communicate with ecobee, when the device comes back online the auth and refresh tokens are no longer valid. We must go back through the oauth flow to get everything up and running again. We seem to have been able to prove this pretty consistently with our development devices. Are our assumptions correct that the oauth tokens become invalid if a device falls offline?
4 people have
this question
+1
Reply
  • No that is not correct. A device going offline does not invalidate any of the OAuth tokens. The only way a refresh token is invalidated is if you use it to generate a new Access token, and subsequently use this access token for any request.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Hesham,

    Just to expand on your answer, which appears to be mostly correct as I understand it (and correct for all practical purposes)....

    Access tokens are valid for 1 hour from being issued.
    Refresh tokens are valid for 1 year from being issued.
    Refreshing the access token immediately expires the refresh token, upon which a new one is issued.

    So, it is conceivable that, if a device fell offline for over a year (probably not likely), the refresh token would be invalid when it came online again.

    Dustin, when the device goes offline, does it somehow reset the tokens? Otherwise, are you not storing the new refresh token upon refresh?

    I've tried the example program they have online where I got the original set of tokens, and then went to bed. The next morning I was able to get new access & refresh tokens using the refresh token from the previous night.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated

  • Hi Doug,
    As Hesham alluded to the access and refresh token expiry has nothing to do with whether the device is online or not, regardless of how long that device is offline for.
    The tokens expire as described in the API documentation.

    So to address your specific statements/questions:
    1. No that is not conceivable. The refresh token would only ever be invalid if it had either been invalidated by the execution of a token refresh; the user has deauthorized the app; or the expiry time of 1 year has elapsed.

    2. The device does not reset the tokens.

    Hope that helps.
    Scott
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Hi,

    I ran several tests comprised of below steps:

    1) Perform registration and obtain access token and refresh token (let's say A and B);
    2) Store the tokens and perform polls from the device at 1 minute intervals;
    3) Data is obtained on each request;
    4) Within the access token validity period, I perform any of the below steps
    a) unplug the device
    b) stop WI/FI
    c) set to Vacation mode
    5) Data is still polled for the remainder of the hour corresponding to access_token A validity period
    6) On getting code 14, as the 1 hour mark for access token expires, I perform a refresh token using B
    7) On all tests run including manual I get the below:

    POST: [401] Unauthorized
    {
    "error": "invalid_client",
    "error_description": "Authentication error, invalid authentication method, lack of credentials, etc.",
    "error_uri": "http://tools.ietf.org/html/draft-ietf..."
    }

    As I am not altering the tokens in any way, it seems that above three operations "invalidate the refresh token". If I skip step 4) all is running okay and new tokens are obtained when refresh is performed.

    Regards,
    Cezar
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated

  • Hi Cezar,

    Just a quick sanity check.....

    Is the auth token "A" used in step 7 the same as the auth token "A" used in steps 2-5?

    When you do a token refresh, it immediately expires both the Auth and Refresh tokens, issuing new tokens.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated

  • Step 7 is what I receive when I try to refresh using token B. So it is just after I detect token A has expired.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Cezar,

    I can guarantee you 100% that the status of an ecobee thermostat going offline has no bearing whatsoever on the OAuth tokens. There is no connection at any level (whether logical or physical in our systems) that would link the two events together. Thermostats can lose connectivity at any time, and in fact it is common for thermostats to connect and reconnect multiple times within a day. If our OAuth tokens behaved the way you describe then the majority of our customers and partners would have serious issues with having to re-authorize apps.

    What I suspect is happening on your end is that the failure/error from step #4 is causing somewhere else in your system to also try to refresh the token. We see this happen with many developers, where they claim their refreshed tokens are not working but it turns out that their refresh token request is sent as duplicates, and later requests end up invalidating the tokens generated on the first request.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated