How to refresh access token with grant?

[samuelmtimbo]

Pardon my naive, as I am still getting used to OAuth2 and grant, but I am failing to find a way to refresh an expired access token using grant. I expect that to be a fairly common scenario.

[simov]

Hi @samuelmtimbo, refreshing an access token is pretty trivial. Pick an HTTP client and make request to the refresh token endpoint of your provider, you don't need Grant for that. Check out these docs or the documentation of the provider you are using.

[samuelmtimbo]

Hi @simov. The docs point out the process of refreshing an access token has similarities with the process of getting the access token for the first time. It requires sending the client_id/client_secret combination and uses the same endpoint (authorize_url in oauth.json) to name a couple. I feel that by implementing this logic separately in my server I would be duplicating work already done inside Grant.

Isn't Grant's purpose to abstract away this sort of communication with multiple providers? I would suggest a "/refresh/[provider]" internal endpoint. I can send a PR if that makes sense to you.

[simov]

The problem is that you have to store your refresh_token somewhere. Grant is only concerned with getting you to a point where you have your access_token and refresh_token, but where you store them after that is up to you.

That might be the session itself, in case you are using external session store, but it might be something else. So that's implementation detail on your end, and that's why you have to implement that endpoint yourself. On the bright side it shouldn't be that difficult to do so, and as you have guessed that sort of endpoint is going to work for 99% of the available OAuth2.0 providers.

[samuelmtimbo]

That makes sense. What if such endpoint received the refresh_token in the request body? The handler's only job would be using the credentials and endpoints already available to Grant to issue a request with grant_type: “refresh_token” and parse the response with the same logic of "connect/[provider]/callback".

[samuelmtimbo]

The main reason behind this feature is that it would evolve alongside with Grant, growing as new providers are added and possible custom logic that come with them.

[simov]

Just keep in mind that storing the refresh_token in the browser is not a good idea. So that kind of defies the purpose of having an endpoint that accepts it.

I think it's best to pass some user identifier to the refresh endpoint and based on that find the refresh_token in your store and make the request. So again you need some state to read from.

[samuelmtimbo]

I understand. I'd rather not influence a bad practice. Thanks for the attention!

[simov]

Not a problem @samuelmtimbo, and I appreciate your feedback! It's not a bad idea either, it's just that most likely it won't be implemented in Grant. Might be a separate library or a Grant compatible middleware like grant-profile and grant-oidc.