Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Need clear the refresh token workflow.

See original GitHub issue

I want to store the tokens in my database and before call google apis, I want use refresh_token to get a new access_token so that user don’t need redirect to the consent screen.

Here is my workflow:

router.get('/oauth/callback', async (req, res) => {
  const { code: authorizationCode } = req.query;
  const { tokens } = await oauth2Client.getToken(authorizationCode);
  oauth2Client.setCredentials(tokens);
 
   // store tokens in database
  db.save(tokens);
 
   //...
});

And, before every google api call, I will set refresh_token to oauth2Client like this:

router.get('/plus/:userId', () => {
  //get refresh token from database
  db.get(tokens);

  oauth2client.setCredentials({ refresh_token: tokens.refresh_token });

  // call google+ api
  const plus = google.plus("v1");
  const { data } = await plus.people.get({ userId });

  //...
})

Is the workflow correct?
Is it necessary to set refresh_token before every api call?
Should I check the expired time of access_token by myself?
refreshAccessToken is deprecated. Is that mean I don’t need refresh access_token by myself?

Need clear the doc.

Issue Analytics

State:
Created 5 years ago
Comments:8 (3 by maintainers)

Top GitHub Comments

1reaction

mrdulincommented, Feb 25, 2019

@AVaksman Thanks for reply.

The readme says:

This library will automatically use a refresh token to obtain a new access token if it is about to expire.

I think the refresh token should be attached to a user context. Which means each user will have a refresh token. Which refresh token the library will automatically use? So I think I should set the refresh token to this library manually. Like below:

const refreshToken = db.findRefreshTokenByUserId(1);
oauth2Client.setCredentials({refresh_token: refreshToken});

The tokens event does not have a user context. I think what @supertiger1234 said is the same thing.

I use express.js, in order to get the user context of client request, which place should I put this token event? The middleware or some global scope?

If there is an sample using express.js for handling the expiring of access token. That will be great.

After I read readme about ten times. I think maybe setCredentials api can satisfy my requirement.

Here is fake code to demonstrate the workflow:

router.use(function authMiddeware (req, res, next) { 
  const {userId} = jwt.verify(token, 'secret');
  const STORED_REFRESH_TOKEN = db.findRefreshTokenByUserId(userId);
  oauth2client.setCredentials({
    refresh_token: STORED_REFRESH_TOKEN
  });
  next();
})

0reactions

bcoecommented, Dec 16, 2019

@apoorva-shah a refresh token does not expire (or should expire very rarely, e.g., if a user revokes credentials on their account). If the goal is to perform background processing for a user with your application, store the refresh_token when first authorizing, and then use this when instantiating the client in the future (the auth library will handle refreshing the token automatically).

Top Results From Across the Web

What Are Refresh Tokens and How to Use Them Securely

This post will explore the concept of refresh tokens as defined by OAuth 2.0. We will learn how they compare to other token...

Using Refresh Tokens in ASP.NET Core Authentication

Refresh token -based authentication workflow · First, the client authenticates with the authentication component by providing the credentials ...

Refresh access tokens - Okta Developer

This guide explains how to refresh access tokens with Okta. Learning outcomes. Understand how to set up refresh token rotation. Refresh access tokens....

rest api - Understanding the refresh token workflow

There's a number of things you need to do to get everything just right. Under Setup > Create > Apps, go down to...

Refresh Tokens — IdentityServer4 1.0.0 documentation

Refresh tokens are supported for the following flows: authorization code, hybrid and resource owner password credential flow. The clients needs to be explicitly ......