ring-oauth2 icon indicating copy to clipboard operation
ring-oauth2 copied to clipboard
verified publisher icon weavejester

Refresh expired access tokens

Open studer-l opened this issue 1 year ago • 5 comments

Adds an additional flow to the existing middleware to refresh expired tokens. The implementation handles multiple active grants. Expired grants that failed to refresh are removed.

The refresh workflow is unconditionally activated. Since a token refresh may occur for any request, access tokens are now always added to the response's :session. This may break code which previously relied on the :session only being set during the initial grant workflow. I do not think this can be avoided.

If a refresh occurs, the tokens in (:session request) are left as-is, the updated access tokens are accessibly via the existing :oauth2/access-token key. This allows downstream handlers to observe that a token refresh occurred.

There is a potential bug, where concurrent requests with expired tokens may race. For example, consider a page containing a css and a js resource. If a user's access token was to expire exactly as the index.html finishes loading, their browser may concurrently fetch both the css and js resources, triggering two concurrent token refresh attempts with the same token, one of which may fail. I do not see a way to address this without introducing considerable complexity.

I have added a timeout of 60 seconds to the refresh http request, which means a slow oauth backend will cause users to become logged out. I think this is more informative for users than hanging forever.

Fixes #40

studer-l avatar Jan 10 '25 19:01 studer-l

Thanks for the PR. This might take a while for me to get through. Please ensure that the commit contains only changes relevant to this feature, that all lines are within 80 characters, and that only public functions have docstrings.

weavejester avatar Jan 10 '25 20:01 weavejester

hi @studer-l ,

I'm working on an app that uses oauth2 and I would need token refresh - since I have 5 min tokens. Do you have time to finish this PR? I'll see if I can implement and test it. Please ping me when you have anything new pushed.

Thanks, Eugen

ieugen avatar Feb 12 '25 11:02 ieugen

hi @studer-l ,

I'm working on an app that uses oauth2 and I would need token refresh - since I have 5 min tokens. Do you have time to finish this PR? I'll see if I can implement and test it. Please ping me when you have anything new pushed.

Thanks, Eugen

Hi @ieugen Thank you for pinging me about this, sorry for letting this pull request linger; I should be able to find the time to finish this, no worries.

studer-l avatar Feb 12 '25 22:02 studer-l

Hi,

Anything I can do to help? I've taken a break from this but I think I will get back on it in 2-3 weeks.

Eugen

ieugen avatar Apr 10 '25 12:04 ieugen

Hey @weavejester sorry to bother you with this again, I've gone through your comments again and I think they should all be addressed.

studer-l avatar Apr 13 '25 21:04 studer-l

Hi, any updates on this PR? It would be great to have the refresh token feature.

chickendreanso avatar Dec 19 '25 06:12 chickendreanso

Hey, apologies, I kind of forgot about this PR entirely!

I've had another look at the code and @weavejester 's review and I think I finally understood how to fix the extra :session state problem :sweat_smile: Please let me know if I am on the right track with my reasoning!

studer-l avatar Dec 19 '25 09:12 studer-l