Closed holmesjr closed 1 month ago
evert
commented
1 month ago Interesting! I wonder how normal this behavior is. Cognito is a big one, so it makes sense to have some kind of workaround for this.
What kind of grant_type was used for obtaining the original tokens?
evert
commented
1 month ago Actually I had another look at the RFC and it seems pretty clear we should just keep using the old refresh_token:
holmesjr
commented
1 month ago Yup. The original grant type was code (with PKCE).
If you want me to PR let me know. It's a simple fix (a lot simpler than the ugly workaround I'm using).
I'm using Cognito as the OAuth provider. In this case, the tokens returned to the client when providing a refresh token do not include a new refresh token (nor the old one - no refresh token comes back at all). This means that https://github.com/badgateway/oauth2-client/blob/dfaa4622ff37217a62a8daa551257c385e8bd7b4/src/client.ts#L184 wipes out the refresh token and subsequent refreshes will fail. I've mentioned the fetch wrapper because that's where I noticed the behaviour, but it appears this will happen for any refresh.
The solution might be to check the returned token and add the old refresh token back if the new one is null. I can PR for this if you're happy with the approach.