1 to 24 hours. - ThreadSky | a Reddit-style client for Bluesky

derhoff.bsky.social • 20 hours ago

1 to 24 hours.

Comments

Google does seem to implement access token revocation, something Microsoft doesn’t.
Also Microsoft access token validity goes down to 10 minutes but I’m not sure what the length is per-app.

https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes#access-id-and-saml2-token-lifetime-policy-properties

skye.soss.website•20 hours ago

But Google doesn’t support access token revocation for JWT-based access tokens, same as Microsoft. I assume GMail doesn’t use JWTs since there aren’t complex access rules for email (or if there are it isn’t common).

https://cloud.google.com/apigee/docs/api-platform/security/oauth/using-jwt-oauth#usage-notes

protovision.co.uk•20 hours ago

I can't speak for their back-end. I wanted to test but I'll need to jump through a hoop first since it seems to be grouping "devices" by IP/location, this didn't use to happen ...

skye.soss.website•20 hours ago

That’s interesting, I didn’t think Google could get away with grouping device by IP address because of their use of QUIC.

derhoff.bsky.social•19 hours ago

Google: “Interesting theory... from the 5 devices connected to your router.”

skye.soss.website•19 hours ago

I’m thinking more: phone with WiFi -> phone on 4G -> phone on 5G -> VPN

Though maybe Google rejects QUIC session resumptions from different world regions.

protovision.co.uk•19 hours ago

This is new to me, and a bit bothersome. I can't seem to sign out "every other device except that I'm using" like I used to be able to. Odd.

derhoff.bsky.social•20 hours ago

google has ways to revoke access tokens before they expire in some cases, but the limitation of JWTs is still there.

Microsoft, lets you adjust the duration of tokens, but cannot instantly invalidate them once issued.

protovision.co.uk•19 hours ago

Looking at my gmail activity there is a difference between "browser" and "authorised application" access.

protovision.co.uk•20 hours ago

I would not be surprised if they treated mobile applications differently to web-based access.

protovision.co.uk•20 hours ago

3 minutes according to Google?

derhoff.bsky.social•20 hours ago

Well, you know Google...

protovision.co.uk•20 hours ago

I don't mind being called Stevie by the way, I think you meant it derogatorily but my form tutor called me that 40 years ago.

derhoff.bsky.social•20 hours ago

No man, ffs... sorry, just in case.

protovision.co.uk•20 hours ago

No worries, it's just that nobody calls me Stevie anymore :)

Comments

Posting Rules

Reply