Refresh Token missing

Question

Refresh Token missing

benrolfe opened this issue 7 years ago · 8 comments

When I request my "access token", by passing my "auth token", I was expecting to also receive a "refresh token", however it's missing.

Can someone explain why it's missing, and how I get hold of a refresh token?

This is what's returned...

access_token:
"eyJhbGciOiJSUzI1NiIsIyJqdGkiWIiOjEsImV4cCI6OiIwMWZkNWVkMi1mNzI0LTRhNzMtODUyNC01OWJhMnCYNXZX89ViZkuiMWEDZiZjRlNTgiLCJzdMTUyMDAxMTA2NiwiaWF0IjoxNTIwMDA3NDY2fQ.2Yk9qz5smUWqNMlSwCvPXjHZzknun9wcP62fytVR1lof4tEjnR5cCI6IkpXVCJ9.euYYKeEP_zb_A1dDYLpKhnBLFoW5Ama9pOrJkz77fJ_gVnemdR9LrrKof9xIAF9JemuYMroCjIawDWHIbiv9tmu4lAO-DIsA6EQN1ER_6SPGofS-Ze07zDEFzQgBLrE5s3v-EGaz6CBczHPyCuFchZ7xnoZ_J3YnuP00PyDYwY5vv9xgPIsz_k0V9Hz3VVlcZu-2YjGxiLrRFgx2lhZP5jlKEI_Qs0_xMtyOE6972ck72CFEnqIxpiPUFRlN9s8f7jRBAnLkkFYh_e4H8FNeA"
expires_in:3600
token_type:"Bearer"

Answer 1 · 2018-03-14T16:50:56.000Z

I would like some information on this as well, the documentation states that refresh token support is bundled yet shows no examples. Thanks in advance!

Answer 2 · 2018-03-21T14:07:21.000Z

Are you able to help @jaredhanson?

Answer 3 · 2018-03-23T21:50:44.000Z

@benrolfe I got mine working, you simply have to generate a refresh token during the exchange and pass the optional refreshToken parameter to the exchange callback. Below is an example of the callback. Hope that helps!

server.exchange(oauth2orize.exchange.code((client, code, redirectUri, done) => {
    // Check the auth code
    // Destory auth code
    // Create access token
    // create refresh token
    ...
        return done(null, token, refreshToken, { expires: 3600});
    ...

}));

Answer 4 · 2018-03-26T10:53:55.000Z

@jesseg34 Thanks for the tip, that's exactly what I needed.

On a related note, when you exchange a refresh token for a new access token, should I expect to receive a new refresh token?

This is what I get back after the exchange:

access_token: "eyJhbGmtOIEJkIdMtX3L5tsEA.............dTLpGy4n8hefXae5cYoiFvIXg"
expires_in: 3153600000
token_type: "Bearer"

Answer 5 · 2018-03-26T15:54:36.000Z

This is more of an implementation decision however the short answer is no. Refresh tokens are meant to be long-lived and normally do not expire.

Some more reference:

Answer 6 · 2018-05-29T15:48:19.000Z

Does this logic work with the 'basic' strategy? Or is there a need to define your own custom strategy?

Answer 7 · 2018-10-24T22:45:17.000Z

Be aware that for security reasons, some flows do not allow refresh tokens such as implicit grant type flow: https://tools.ietf.org/html/rfc6749#section-9

Answer 8 · 2018-12-11T04:44:18.000Z

@benrolfe I got mine working, you simply have to generate a refresh token during the exchange and pass the optional refreshToken parameter to the exchange callback. Below is an example of the callback. Hope that helps!
server.exchange(oauth2orize.exchange.code((client, code, redirectUri, done) => {
    // Check the auth code
    // Destory auth code
    // Create access token
    // create refresh token
    ...
        return done(null, token, refreshToken, { expires: 3600});
    ...

}));
                               

It worked