Open kwibus opened 1 year ago
I've encountered this as well. This issue is not relegated to starlette or any particular client/provider.
My current workaround is to reload the token from storage after the refresh has happened, but in many cases that leads to some gnarly code. Like, rereading the token from the db before every.single.api call. Not great for performance when I need to make hundreds or thousands of calls.
Anything new here?
Describe the bug
When you use
authlib.integrations.starlette_client
. And you make a request. theauthlib.integrations.starlette_client
will use the refresh token if you acces token is expired. But if authorization server gives you a new refresh token. You should start using the new refresh token.authlib.integrations.starlette_client will do that for this first request with the expired token. But because
authlib.integrations.starlette_client
does not update the token you used in place. your second request will use the same expired token as the first request.So it will try to refresh again. this seems unnecessary But this second refresh will also use the old refresh token, not the one it got from the first one. The (oauth rfc)[https://datatracker.ietf.org/doc/html/rfc6749#section-6]
And some server will not allow you to do this.
Error Stacks
To Reproduce
I talk to exact-online api that does not allow reuse of refresh tokens. This is but unusual, but confirming to Oauth 2 rfc.
This the code i used to reproduce this error. (full code can be found here: main.py.txt)
First i request a acces token (by accessing /login via browser)
Then I access
/user
this works: This will make 2 request to v1/current/Me exact online It also print that acces token will expire at 2023-06-05 15:10:57. (see log/stacktrace)i will wait until token is expired
Then I access
/user
again this does not work. First request gets a response. You get error "Old refresh token used." on the second request. I also see thatexpires_at
before the second request still is the same. So i assume the token is not updated.I know that part of the problem is that I use the same token twice. But there is no way to get the new token. if the refresh is done. Or do i miss something?
Expected behavior
I expect that either:
token is updated in place by
oauth.exact.get
Or part of return value ofoauth.exact.get
Or token is managed by the inner client. So it is always send token of the client. when user does set token explicitly. And you have way to update this token. This issue might be relevant #422
Additional context
Hope I made it clear what te problem is. I understand its not easy for other to test this with exact online api. But i assume it works the same with others. But they will problem not complain about reusing a refresh token.
Let me know if i can help with something?