Refresh token automatically on HTTP 401 or 403 response?

[bradvogel]

I'm using the API (v1.0.10) in the following way:

    var oauth2Client = new OAuth2(getGoogleCredentials().clientId, getGoogleCredentials().secret);
    oauth2Client.setCredentials({
      access_token: user.services.google.accessToken,
      refresh_token: user.services.google.refreshToken
    });
    calendar.events.list({
        calendarId: 'primary',
        auth: oauth2Client
      }, ...);

When my token is expired I get an HTTP 401 back from the server. However, I'd expect the library to automatically refresh my token and make the request again. It doesn't.

I figured out that a workaround is to add the expiry_date when calling setCredentials, e.g.

oauth2Client.setCredentials({
      access_token: user.services.google.accessToken,
      refresh_token: user.services.google.refreshToken,
      expiry_date: user.services.google.expiresAt
    });

But this isn't mentioned in the docs. I'd expect expiry_date to be optional and the API to auto refresh the token.

[ryanseys]

Nope it won't refresh. We did this because when you make a request that requires a media body we can't reliably re-add the media body due to the possibility that the media body is a stream or that the entire body is being piped into the request. Yes, it means you need to add expiry date if one hasn't been added or refresh the token yourself if you know it is expired.

[bradvogel]

Oh ok, makes sense. Can you add expiry_date to the main docs then?

[ryanseys]

It's not meant to be set by the user really. Not sure if documenting it is suggested because it may change in the future without warning.

[bradvogel]

Ok. I still think it's worth mentioning something about the library not taking care of refreshing the token, and how to do it in an example.

[ryanseys]

This is a good point. I filed #262 for this.

[ChrisAlvares]

Hi Ryan,

I was looking through the source, and it seems that if you do not supply an access token in the setCredentials, it will automatically renew the access token before making the request. Can you confirm this behavior? I sometimes receive an "invalid_grant" after about 30-60 days from authenticating even though I supplied the offline parameter in the oAuth dance.

Would you recommend doing something like this to prevent getting the invalid_grant parameter?

setAuthTokens = function(accessToken, refreshToken) {
    if (refreshToken) {
        accessToken = null;
    }
    this.client.setCredentials({
        access_token: accessToken,
        refresh_token: refreshToken
    });
}

[joewoodhouse]

The source code for oauth2client.js does basically say that on a 401 or 403 it will refresh the token and retry?

/**
 * Provides a request implementation with OAuth 2.0 flow.
 * If credentials have a refresh_token, in cases of HTTP
 * 401 and 403 responses, it automatically asks for a new
 * access token and replays the unsuccessful request.
 * @param {object} opts Request options.
 * @param {function} callback callback.
 * @return {Request} Request object
 */
OAuth2Client.prototype.request = function(opts, callback) {

Perhaps the comment should also be removed to avoid confusion?

[ryanseys]

Oh ya this is wrong. I'll fix it.

On Wednesday, September 10, 2014, joewoodhouse notifications@github.com
wrote:

The source code for oauth2client.js does basically say that on a 401 or
403 it will refresh the token and retry?

/**

• Provides a request implementation with OAuth 2.0 flow.
• If credentials have a refresh_token, in cases of HTTP
• 401 and 403 responses, it automatically asks for a new
• access token and replays the unsuccessful request.
• @param {object} opts Request options.
• @param {function} callback callback.
• @return {Request} Request object
  */
  OAuth2Client.prototype.request = function(opts, callback) {

Perhaps the comment should also be removed to avoid confusion?

—
Reply to this email directly or view it on GitHub
#261 (comment)
.

[vladmiller]

So is there any event I can listen and refresh token?

[zoellner]

I ran into a similar issue. What works for me is to set expiry_date to true when setting the credentials and I don't have a date availble. This will force a token refresh, you can then store the client's expiry_date after using it.

    oauth2Client.setCredentials({
      access_token: user.google.accessToken,
      refresh_token: user.google.refreshToken,
      expiry_date: true
    });

[irisSchaffer]

As this issue is not closed yet, I thought I'd ask for an update on the matter. As discussed before, the token is not automatically refreshed, when sending both the refresh_token and the access_token and as @zoellner suggested, adding expiry_date: true solves this problem. However, in the documentation (README.md) it says:

You can start using OAuth2 to authorize and authenticate your requests to Google APIs with the retrieved tokens. If you provide a refresh_token and the access_token has expired, the access_token will be automatically refreshed and the request is replayed.

So you might want to update that.

Spent the last hour debugging my code because of the misleading Readme.md :( You should fix this.