Handling responses with 401 Unauthorized status code

[mateuszwojtczak]

Hello, the current implementation of the client refreshes credentials only when it notices they are expired and can be refreshed. This happens before sending an actual request so the request is already authorized correctly after the refresh. When the server responds with 401 Unauthorized status code, the library returns the response and gives back control to the user. This looks like something done by design and not some oversight.

IMHO, expected behavior of OAuth client is handling 401 responses implicitly trying to refresh credentials.

So my question is: why does the client return the response instead of trying to refresh credentials first?

AFAIK, we cannot derive the real auth state only from local expiration check. Specifically, what if the server checks credentials a tiny amount of time after their expiration, therefore returning 401 response after our local successful check? Does comparing timestamp with DateTime.now() make a good source of truth?