Handling refresh token rotations with persistent refresh tokens

[Scrin]

Based on this (under "PREPARE FOR REFRESH TOKEN ROTATIONS") and this (bottom of the page) the refresh tokens can rotate. While this is not necessarily an issue for "login-use-forget" type of applications, more persistent applications that save the refresh tokens to a database or disk to survive restarts and continuously run in the background, a mechanism to "catch" refresh token changes in order to update them in db/disk/whatever becomes necessary.

I have resolved this by setting a custom Transport to the http.Client passed to goesi.NewSSOAuthenticatorV2 which will catch these changes and update the tokens in the DB when they change, but since this refresh token rotation applies to everyone using the eve sso & esi, it would be nice to see goesi supporting this "more natively".

I have not dug too deep into the sources of goesi so I don't know what would be the most convenient way to make this more convenient, but at least one solution would be offering a "eve sso aware middleware" http.RoundTripper implementation that wraps another http.RoundTripper, and calls a provided function when it detects a refresh token rotation (which is more or less what I've implemented)

[antihax]

This should be handled by TokenSource in in the oauth2 go library, inspect to see if it changed when a new access token was created. https://pkg.go.dev/golang.org/x/oauth2#Token

[Scrin]

That's what I was initially trying to do, but the issue is trying to reliably catch when a new access token gets created, since it all happens transparently in the background by the TokenSource while goesi uses it. The "easiest" way I've found so far (without touching goesi sources) is to catch the call to https://login.eveonline.com/v2/oauth/token by the http client. Another way I initially tried to do it was wrapping all calls to goesi such that the change checking would happen after each call, but that ended up being way too clumsy and prone to mistakes