oauth-2.0 - Google API刷新 token 限制

Question

我正在开发一个需要访问多个Google日历的应用程序。所有这些日历都来自不同的用户。现在，我正在使用OAuth2进行同步。但是据我了解，我每个客户端ID只能生成25个刷新 token 。

Note: Save refresh tokens in secure long-term storage and continue to use 
them as long as they remain valid. Limits apply to the number of refresh 
tokens that are issued per client-user combination, and per user across all clients, 
and these limits are different. If your application requests enough refresh tokens 
to go over one of the limits, older refresh tokens stop working.

根据建议，我将刷新 token 保留在数据库中。但是我的问题是，如果我得到更多想要同步其日历的客户该怎么办？有什么办法可以忽略这个限制？当然没有。我现在想到的只是创建更多的客户端ID。有什么建议吗？

Answer 1

每位用户(client-user)50(与您的客户端用户相同)。不是client_id。对于每个对您的应用程序进行身份验证的人，您最多可以让他们对其进行身份验证50次。您收到的每个刷新 token 都将起作用。 50号之后，第一个将停止工作。我认为它们也可以工作6个月，如果6个月没有使用过，它将失效。
您可以有尽可能多的人愿意使用您的客户端(client_id)进行身份验证。您不会有任何问题。
从Google Oauth2文档中找到here

Token expiration

You must write your code to anticipate the possibility that a granted token might no longer work. A token might stop working for one of these reasons:

• The user has revoked access.

• The token has not been used for six months.

• The user changed passwords and the token contains Gmail scopes.

• The user account has exceeded a certain number of token requests.

There is currently a limit of 50 refresh tokens per user account per client. If the limit is reached, creating a new token automatically invalidates the oldest token without warning. This limit does not apply to service accounts.

There is also a larger limit on the total number of tokens a user account or service account can have across all clients. Most normal users won't exceed this limit but a developer's test account might.

If you need to authorize multiple programs, machines, or devices, one workaround is to limit the number of clients that you authorize per user account to 15 or 20. If you are a Google Apps admin, you can create additional admin users and use them to authorize some of the clients.

问题:您在哪里找到的？我想将其报告给Google有点困惑

Note: Save refresh tokens in secure long-term storage and continue to use them as long as they remain valid. Limits apply to the number of refresh tokens that are issued per client-user combination, and per user across all clients, and these limits are different. If your application requests enough refresh tokens to go over one of the limits, older refresh tokens stop working.