Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refresh Token missing #222

Open
benrolfe opened this issue Mar 8, 2018 · 8 comments
Open

Refresh Token missing #222

benrolfe opened this issue Mar 8, 2018 · 8 comments

Comments

@benrolfe
Copy link

benrolfe commented Mar 8, 2018

When I request my "access token", by passing my "auth token", I was expecting to also receive a "refresh token", however it's missing.

Can someone explain why it's missing, and how I get hold of a refresh token?

This is what's returned...

access_token:
"eyJhbGciOiJSUzI1NiIsIyJqdGkiWIiOjEsImV4cCI6OiIwMWZkNWVkMi1mNzI0LTRhNzMtODUyNC01OWJhMnCYNXZX89ViZkuiMWEDZiZjRlNTgiLCJzdMTUyMDAxMTA2NiwiaWF0IjoxNTIwMDA3NDY2fQ.2Yk9qz5smUWqNMlSwCvPXjHZzknun9wcP62fytVR1lof4tEjnR5cCI6IkpXVCJ9.euYYKeEP_zb_A1dDYLpKhnBLFoW5Ama9pOrJkz77fJ_gVnemdR9LrrKof9xIAF9JemuYMroCjIawDWHIbiv9tmu4lAO-DIsA6EQN1ER_6SPGofS-Ze07zDEFzQgBLrE5s3v-EGaz6CBczHPyCuFchZ7xnoZ_J3YnuP00PyDYwY5vv9xgPIsz_k0V9Hz3VVlcZu-2YjGxiLrRFgx2lhZP5jlKEI_Qs0_xMtyOE6972ck72CFEnqIxpiPUFRlN9s8f7jRBAnLkkFYh_e4H8FNeA"
expires_in:3600
token_type:"Bearer"
@jesseg34
Copy link

I would like some information on this as well, the documentation states that refresh token support is bundled yet shows no examples. Thanks in advance!

@benrolfe
Copy link
Author

Are you able to help @jaredhanson?

@jesseg34
Copy link

@benrolfe I got mine working, you simply have to generate a refresh token during the exchange and pass the optional refreshToken parameter to the exchange callback. Below is an example of the callback. Hope that helps!

server.exchange(oauth2orize.exchange.code((client, code, redirectUri, done) => {
    // Check the auth code
    // Destory auth code
    // Create access token
    // create refresh token
    ...
        return done(null, token, refreshToken, { expires: 3600});
    ...

}));

@benrolfe
Copy link
Author

@jesseg34 Thanks for the tip, that's exactly what I needed.

On a related note, when you exchange a refresh token for a new access token, should I expect to receive a new refresh token?

This is what I get back after the exchange:

access_token: "eyJhbGmtOIEJkIdMtX3L5tsEA.............dTLpGy4n8hefXae5cYoiFvIXg"
expires_in: 3153600000
token_type: "Bearer"

@jesseg34
Copy link

jesseg34 commented Mar 26, 2018
edited
Loading

This is more of an implementation decision however the short answer is no. Refresh tokens are meant to be long-lived and normally do not expire.

Some more reference:

@jesseg34 jesseg34 mentioned this issue Apr 9, 2018
Open
@vibhorgupta-gh
Copy link

Does this logic work with the 'basic' strategy? Or is there a need to define your own custom strategy?

@tilleps
Copy link

tilleps commented Oct 24, 2018

Be aware that for security reasons, some flows do not allow refresh tokens such as implicit grant type flow: https://tools.ietf.org/html/rfc6749#section-9

@just24nar
Copy link

@benrolfe I got mine working, you simply have to generate a refresh token during the exchange and pass the optional refreshToken parameter to the exchange callback. Below is an example of the callback. Hope that helps!

server.exchange(oauth2orize.exchange.code((client, code, redirectUri, done) => {
    // Check the auth code
    // Destory auth code
    // Create access token
    // create refresh token
    ...
        return done(null, token, refreshToken, { expires: 3600});
    ...

}));

It worked

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@benrolfe @tilleps @jesseg34 @vibhorgupta-gh @just24nar