OAuth2 Security


So I have the day off and decided to play with my Nest only to find that there are developer APIs.

I might be only a handful to have concern for this, but why does Nest allow 10 years for an access token? This sounds like very bad practice. If my understanding is correct, Nest uses the Authorization Code flow. This is similar to what Facebook does when it asks a user to give permissions to a third party application. Once the user gives authorization, a code is returned and the third party app can request a token (only once per code). The token last 10 years. Why?

Having a token last 10 years will effectively force clients to maintain security for the lifetime of the token, which is fine, but 10 years is too long. In the age when security is a huge problem, no matter what the customer base is, how can we expect clients keep that information private? Some breaches take months to learn that something was compromised.

To safeguard themselves, it sounds like Nest offers a deauthorize endpoint, to invalidate tokens. So if there is a breach, clients can clear their users’ access tokens. This is good, but forces the client to have their users log back in and give permissions. But like I said, breaches can take months to learn about.

Nest should consider about making short-lived access tokens and offer refresh tokens. Using refresh tokens increase security for both Nest and third party clients. A refresh token should only be used once, so if there is a breach, the third party will know immediately, since a series of refresh tokens will likely become invalid, causing the application to fail at authentication. At that point, the client can then issue a deauthorization and force their user to re-authorize.

Searching online, I saw one comment on Stack Overflow about refresh tokens / expiration and hoping Nest will implement them, but that post was over 4 years ago.