Support for refreshing OAuth access tokens

andstatus / andstatus

Multiple accounts client for multiple Social networks. For Android

http://andstatus.org/

Apache License 2.0

307 stars 69 forks source link

Support for refreshing OAuth access tokens #562

Closed tsileo closed 1 year ago

tsileo commented 1 year ago

If the OAuth access token response contains a refresh_token, it should be stored and a refresh should be attempted when the token is expired (or when hitting a 401?).

Example response from microblog.pub:

{                                                                                                                                                                                                                  
    "access_token": "redacted",                                                                                                                                                 
    "expires_in": 600,                                                                                                                                                                                             
    "me": "https://redacted/",                                                                                                                                                                
    "refresh_token": "redacted",                                                                                                                                                
    "scope": "read write follow",                                                                                                                                                                                  
    "token_type": "Bearer"                                                                                                                                                                                         
}

Making a POST to the token endpoint with grant_type=refresh_token + refresh_token + client_id will return the same response as with the authorization code grant + a new refresh token (the spec recommends returning a new one and checking for double use).

Thanks! Let me know if I missed some details.

yvolk commented 1 year ago

@tsileo Could you arrange a test account for me to test this and other related features (e.g. #563)

tsileo commented 1 year ago

Yes, I will try to setup an instance and give you credentials this weekend.

Can you provide me an email where I can send them?

Thanks!

yvolk commented 1 year ago

@tsileo please use andstatus@gmail.com

tsileo commented 1 year ago

@yvolk email sent, thanks a lot!

yvolk commented 1 year ago

Hello @tsileo ! I made the first test of the newly implemented "refresh-access" feature. As you suggested, on getting "401 UNAUTHORIZED" response during a timeline request AndStatus launches the asynchronous "refresh-access" command. The "refreshAccessToken" request implemented in ScribeJava library, so currently I don't see exact request posted to your server, but in the response I got "Internal Server Error" from the library.

Could you advise, what was wrong at the server side?

Please see the screenshot from AndStatus (time is UTC):

01-30 05:51:36.339 5/CommandExecutorStrate99: refresh-access,
Status code: OK; soft; Unexpected exception
Caused by com.github.scribejava.core.model.OAuth2AccessTokenErrorResponse: Internal Server Error

unauthotized-and-refreshAccess-Screenshot_20230130_085336

tsileo commented 1 year ago

Hey, thanks!

The form data was:

form_data=FormData([('scope', 'read write follow'), ('refresh_token', '<redacted>'), ('grant_type', 'refresh_token')])

It's missing the client_id. I've seen it required in the OAuth 2.0 spec.

yvolk commented 1 year ago

Thank you, it works now. I posted v.60.02 to #456 with this change.

tsileo commented 1 year ago

Awesome, thank you!