Use refresh tokens

[sblack-usu]

Describe the feature you'd like and what it will do I would like refresh tokens to be used to refresh access tokens before they expire. This will limit how often I will need to login with each repository.

Why is this feature important? Refresh tokens can be used to generate a new access token without a user reauthorizing the application.

Is your feature request related to a problem? Please describe. I'm always frustrated when a user has to manually reauthorize a repository. It is also good for security to regularly refresh access tokens.

[Maurier]

@sblack-usu has this been put in place?

[sblack-usu]

yes

[Maurier]

Reopening after reviewing token refresh implementation. I have identified major flaws.

• [x] https://github.com/cznethub/dspback/pull/223 Repository authorization tokens are only refreshed during a small window before their expiration date. An attempt to refresh them should be made once after their expiration because refresh tokens have significantly longer lifespan and that the access token has expired does not necessarily means that the refresh token has expired too.
• [ ] ORCID access tokens are never refreshed. We generate access tokens by encoding ORCID access tokens and setting a browser cookie, and set their expiration date to the received expiration date from ORCID's token. Instead of deleting tokens immediately after their expiration, an attempt to refresh them should be made once after their expiration or upon failed request (and, if successful, reset the cookie). Same reason as above.

See example OAuth token refresh flow: https://cloudentity.com/developers/basics/oauth-grant-types/refresh-token-flow/