Tim Dorr

You probably want https://github.com/jk-gan/redux-flipper. This project is geared towards Dev Tools implementations.

Yes, I do have access to all of that now. There was an effort to get that all updated, but I think it fizzled out a bit.

I would note that email/password login still works. You go through the authorize endpoint to convert that to an authorization code, which you then exchange for a short-lived bearer token...

Refresh tokens don't have any expiration typically. The spec doesn't mention having them expire at least, and implementing them as expiring is not typical, at least with any OAuth provider...

> I thought the refresh tokens typically expired after 2x the token expiry time (i.e. 90 days in the old version). That's why I thought the new ones might expire...

I'm not 100% sure this is a valid bug. Yes, it's not doing what you're expecting, but that's also not a valid path, as `*` and spaces aren't valid characters...

Sorry, I shouldn't have said asterisks are encoded. They are not according to [the spec](https://www.ietf.org/rfc/rfc3986.txt) (section 2.2). You can also use `+` for spaces in URLs. But what you're passing...

Can you post a more concrete example? I'm not seeing this behavior myself. Are you using a HashRouter, by chance?

Also, to make things easier, you can use our codesandbox project as a starting point: https://codesandbox.io/s/n55VljYk7

Ah, I thought they passed that through to the browser. My bad.