Current official word is:
"Do not throw away your old token when optimistic auto-refresh fails. Do throw
away your token (actually, send it to the revocation endpoint and then throw it
away) when you get a 401 for an API call and then a subsequent refresh fails.
In the cause of a failed API call, either the access token expired or access
was denied. At this point your best bet is to try an auto-refresh, and send
your old access token to the revocation endpoint. You'll either get a new
access token (OK!) and can then try the API call again, or you will get an
error and will have to try to explain the error to the user. In the case where
you get a 401 and then refresh and the new token gets you a 401 too, it's
likely you and the API are not in agreement about necessary access scopes, or
something else broke, and in any case you should stop retrying and show the
user an error message of some sort."
Original issue reported on code.google.com by wo...@google.com on 26 Jul 2011 at 8:51
Original issue reported on code.google.com by
wo...@google.com
on 26 Jul 2011 at 8:51