nwest1
commented
3 years ago I'm a bit hesitant to add any sort of caching / async refresh to this due to complexity in backoff strategies and concurrency. My gut is telling me to (when configured) check expiry before any httpclient.Do() and refresh the token if needed.
Jeffail
As of the current PR #674 - this works as expected except for when a token expires.
Looking to implement this part of the spec: https://tools.ietf.org/html/rfc6749#section-4.3
Because refresh tokens are optional (and internally, we don't implement them,) I'm not sure what the best strategy is to handle refreshing the whole thing.
The core library seems to take care of refreshing properly if a refresh token is available. If it isn't, we'd need to refresh to whole token and implement something to refresh the token based on expiration. Whether that's in
/lib/util/http/client/type.go,/lib/util/http/auth/oauth2.goor elsewhere is tbd.I'm going to experiment a bit with some of the options in the thread below and hope to arrive at something fruitful. Hoping to get your thoughts on where you prefer to see these changes. Does the current oauth2 client credentials work correctly for refreshing tokens?
Some discussion related: https://github.com/golang/oauth2/issues/84
Thanks again!