3

I found that scribe does not extract refresh_token in access token.

The OAuth 1.0 extractor contains:

Preconditions.checkEmptyString(response, "Response body is incorrect. Can't extract a token from an empty string");
String token = extract(response, TOKEN_REGEX);
String secret = extract(response, SECRET_REGEX);
return new Token(token, secret, response);

Which contains token secret.

But in OAuth2.0, there is no token secret, but refresh_token instead. Scribe simply ignores it:

Preconditions.checkEmptyString(response, "Cannot extract a token from a null or empty String");
Matcher matcher = accessTokenPattern.matcher(response);
if(matcher.find())
{
  return new Token(matcher.group(1), "", response);
}
else
{
  throw new OAuthException("Cannot extract an acces token. Response was: " + response);
}

This causes a problem. The access token may expire in the future. I have to refresh access token by saved refresh token in every login pregress, but there is no way to get it directly.

I planned to improve scribe add this feature (it's not difficult)... but has anyone already done this ?

Pablo Fernandez
  • 103,170
  • 56
  • 192
  • 232
Shisoft
  • 4,197
  • 7
  • 44
  • 61

2 Answers2

6

What you say is true. Scribe doesn't give you a refresh method for your access tokens. Scribe was meant to make OAuth signatures easy. OAuth2.0 is pretty easy and if everybody were doing OAuth2, there would be arguably no purpose for scribe (it shines on 1.0a flows).

Anyway, you can easily do the refresh step like this:

OAuthRequest request = new OAuthRequest(Verb.POST, "http://server.example.com/token");
request.addBodyParameter("grant_type", "refresh_token");
request.addBodyParameter("refresh_token", accessToken.getToken()); // were accessToken is the Token object you want to refresh.

request.send();

Hope that helps!

Pablo Fernandez
  • 103,170
  • 56
  • 192
  • 232
  • You'll also need to pass the client_id and client_secret... Note that if Scribe didn't do OAuth2, I'd just use oauth-signpost :-) – ejain Apr 05 '13 at 20:23
  • 1
    this signpost? https://github.com/mttkay/signpost the last commit is from more than a year ago and it still doesn't work with the LinkedIn api. Good luck with that. – Pablo Fernandez Apr 06 '13 at 15:44
2

You can do that using the following code (google provider as example)

OAuthRequest request = new OAuthRequest(Verb.POST,"https://accounts.google.com/o/oauth2/token");
    request.addBodyParameter("grant_type", "refresh_token");
    request.addBodyParameter("refresh_token", accessToken.getToken()); // were accessToken is the Token object you want to refresh.
    request.addBodyParameter("client_id", your clientID);
    request.addBodyParameter("client_secret", your clientSecret);
    Response response = request.send();
Peter T.
  • 8,757
  • 3
  • 34
  • 32