I am successfully using mod_auth_openidc to authenticate my website and get an access_token. I can use the access_token to authenticate my server-side code to a third-party resource hosted elsewhere as the logged-in user.
If the access token expires, I need to refresh it, and mod_auth_openidc seems to require me to make a redirect call to a specific url to do so. If the page I'm in is a GET request, that's fine. The page notices the token has expired, and the redirect comes back to the same page. But if it's a POST, PUT or DELETE request, the eventual refresh is still a GET.
So unless I write some really dirty code to stash the original page and its full details, I seem to be stuck.
By contrast, I can easily make a server-side call to refresh the token, without involving the module, but then the module doesn't know the token has been updated and the updated token will be lost.
The particular use case is one in which I present a form to the user, ask them to fill it in, and send it off. The resulting post data is used to call the third-party API. But if the user spends too long filling in the form, the POST call has an expired access token and can't refresh it.
Is there a way round this, or will I need to revert to using a language-specific library to do all my openid and oauth stuff?
