oauth2orize icon indicating copy to clipboard operation
oauth2orize copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

Refresh Token missing

Open benrolfe opened this issue 6 years ago • 8 comments

When I request my "access token", by passing my "auth token", I was expecting to also receive a "refresh token", however it's missing.

Can someone explain why it's missing, and how I get hold of a refresh token?

This is what's returned...

access_token:
"eyJhbGciOiJSUzI1NiIsIyJqdGkiWIiOjEsImV4cCI6OiIwMWZkNWVkMi1mNzI0LTRhNzMtODUyNC01OWJhMnCYNXZX89ViZkuiMWEDZiZjRlNTgiLCJzdMTUyMDAxMTA2NiwiaWF0IjoxNTIwMDA3NDY2fQ.2Yk9qz5smUWqNMlSwCvPXjHZzknun9wcP62fytVR1lof4tEjnR5cCI6IkpXVCJ9.euYYKeEP_zb_A1dDYLpKhnBLFoW5Ama9pOrJkz77fJ_gVnemdR9LrrKof9xIAF9JemuYMroCjIawDWHIbiv9tmu4lAO-DIsA6EQN1ER_6SPGofS-Ze07zDEFzQgBLrE5s3v-EGaz6CBczHPyCuFchZ7xnoZ_J3YnuP00PyDYwY5vv9xgPIsz_k0V9Hz3VVlcZu-2YjGxiLrRFgx2lhZP5jlKEI_Qs0_xMtyOE6972ck72CFEnqIxpiPUFRlN9s8f7jRBAnLkkFYh_e4H8FNeA"
expires_in:3600
token_type:"Bearer"

benrolfe avatar Mar 08 '18 17:03 benrolfe

I would like some information on this as well, the documentation states that refresh token support is bundled yet shows no examples. Thanks in advance!

jesseg34 avatar Mar 14 '18 16:03 jesseg34

Are you able to help @jaredhanson?

benrolfe avatar Mar 21 '18 14:03 benrolfe

@benrolfe I got mine working, you simply have to generate a refresh token during the exchange and pass the optional refreshToken parameter to the exchange callback. Below is an example of the callback. Hope that helps!

server.exchange(oauth2orize.exchange.code((client, code, redirectUri, done) => {
    // Check the auth code
    // Destory auth code
    // Create access token
    // create refresh token
    ...
        return done(null, token, refreshToken, { expires: 3600});
    ...

}));

jesseg34 avatar Mar 23 '18 21:03 jesseg34

@jesseg34 Thanks for the tip, that's exactly what I needed.

On a related note, when you exchange a refresh token for a new access token, should I expect to receive a new refresh token?

This is what I get back after the exchange:

access_token: "eyJhbGmtOIEJkIdMtX3L5tsEA.............dTLpGy4n8hefXae5cYoiFvIXg"
expires_in: 3153600000
token_type: "Bearer"

benrolfe avatar Mar 26 '18 10:03 benrolfe

This is more of an implementation decision however the short answer is no. Refresh tokens are meant to be long-lived and normally do not expire.

Some more reference:

  • https://stackoverflow.com/questions/8953983/do-google-refresh-tokens-expire
  • https://alexbilbie.com/guide-to-oauth-2-grants/

jesseg34 avatar Mar 26 '18 15:03 jesseg34

Does this logic work with the 'basic' strategy? Or is there a need to define your own custom strategy?

vibhorgupta-gh avatar May 29 '18 15:05 vibhorgupta-gh

Be aware that for security reasons, some flows do not allow refresh tokens such as implicit grant type flow: https://tools.ietf.org/html/rfc6749#section-9

tilleps avatar Oct 24 '18 22:10 tilleps

@benrolfe I got mine working, you simply have to generate a refresh token during the exchange and pass the optional refreshToken parameter to the exchange callback. Below is an example of the callback. Hope that helps!

server.exchange(oauth2orize.exchange.code((client, code, redirectUri, done) => {
    // Check the auth code
    // Destory auth code
    // Create access token
    // create refresh token
    ...
        return done(null, token, refreshToken, { expires: 3600});
    ...

}));

It worked

just24nar avatar Dec 11 '18 04:12 just24nar