0

I have a client application that use the oauth2 with authorization grant type resource owner password credential. I write a curl http request to obtain the access token when user provide her credential, but how to request another access token when the first one expired. I read that it's good to estimate the validity of the access token. I found this client library but I don't think it will solve my problem related to requesting a new access token once it expire or even when the refresh token expired too.

Can anyone point me to the right direction how to implement this or use a library for that purpose please?

M.Abulsoud
  • 989
  • 7
  • 23

2 Answers2

0

the OAuth2 token you receive will have the duration in it. Each token expires after a set amount of time and that information is sent back as part of the object you receive. So you can store it locally and reuse it until the expiration time passes. Once it does expire you have two options :

  1. Request another token
  2. Refresh the existing token. A lot of the OAuth2 providers offer this functionality.

The only question is if the library you are using has that built in. If not maybe you can add it yourself.

Edit

if you want to store the token somewhere then Session will work. The Session does not expire when the user closes their browser bit when it hits the timeout expiration set on the host itself. To be fair if they reopen the app later, they will have to login again at which point you can request another token. If you decide to use the Refresh Token functionality then it makes sense to store that in the database itself and use it from there as this is a long term thing not something that is session based.

Andrei Dragotoniu
  • 6,155
  • 3
  • 18
  • 32
  • is the session good choice to store the access token and the expire time ? But in this case If user close his browser he need to authenticate again. I may use the cookies for remembering the user authentication. Is what I'm saying correct or what? – M.Abulsoud Jun 08 '16 at 08:45
0

Instead of checking token expiration for every resource request, you can handle token expiration error and perform a Refresh Token request to get a new access token.

oAuth server should normally mention invalid_grant in its response when access token is invalid, expired, or revoked. Refer here. You should check with your oAuth server what response it provides exactly when a token is expired.

Some libraries does include this feature but I do not find for the library you mentioned. I used Retrofit as java client and it has this. You might want to request this feature for the library you mentioned.

If a refresh token is expired, the oAuth authorization flow should start over again.

Community
  • 1
  • 1
Sravan
  • 578
  • 1
  • 8
  • 20