OAuth auto refresh capability

[dhanishmeht]

HI,

Instead of manually checking when the token expires or if you get an error when making an HTTP call and then calling refresh;
does it make sense to include automatically refreshing the token if a refresh token is present when getting the access token?

[dmfs]

Always refreshing the access token if there is a refresh token sounds like a waste of bandwidth. At the very least an implementation should check the expiration date first. There should be no need to refresh when the token is still valid. Otherwise you'd essentially double the number of requests because you'd perform one refresh for every API call.

In http-client-essentials-suite I have a generic authentication decorator which addresses all the pain with authentication and makes it really simple (and secure).

In fact I've already written an AuthStrategy implementation which handles OAuth2 authentication in a transparent manner. Unfortunately that was for a proprietary project, but I'm going to re-implement an Open Source version soon.

[dhanishmeht]

Yes, I did mean when the access token is close to expiration or already expired. I manually do it right now by checking when it will expire and set up a thread to refresh it based on that.