A passport.js add-on to provide automatic OAuth 2.0 token refreshing.
Switch branches/tags
Clone or download
Latest commit 49ce2cc Jun 6, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib Update refresh.js Jun 6, 2018
test Updated dependencies Jun 6, 2018
.gitignore Cleanup Nov 16, 2014
.jshintrc Initial commit Nov 16, 2014
.travis.yml Remove support for node <0.10 Dec 17, 2015
CHANGELOG.md v1.1.0 Jun 6, 2018
LICENSE Initial commit Nov 16, 2014
README.md Updated README Dec 17, 2015
package.json v1.1.0 Jun 6, 2018


Passport OAuth 2.0 Refresh

An add-on to the Passport authentication library to provide a simple way to refresh your OAuth 2.0 access tokens.

Build Status npm version Dependency Status devDependency Status


npm install passport-oauth2-refresh --save


When setting up your passport strategies, add a call to refresh.use() after passport.use().

An example, using the Facebook strategy:

var passport = require('passport'),
  , refresh = require('passport-oauth2-refresh')
  , FacebookStrategy = require('passport-facebook').Strategy;

var strategy = new FacebookStrategy({
  clientSecret: FACEBOOK_APP_SECRET,
  callbackURL: "http://www.example.com/auth/facebook/callback"
function(accessToken, refreshToken, profile, done) {
  // Make sure you store the refreshToken somewhere!
  User.findOrCreate(..., function(err, user) {
    if (err) { return done(err); }
    done(null, user);


When you need to refresh the access token, call requestNewAccessToken():

var refresh = require('passport-oauth2-refresh');
refresh.requestNewAccessToken('facebook', 'some_refresh_token', function(err, accessToken, refreshToken) {
  // You have a new access token, store it in the user object,
  // or use it to make a new request.
  // `refreshToken` may or may not exist, depending on the strategy you are using.
  // You probably don't need it anyway, as according to the OAuth 2.0 spec,
  // it should be the same as the initial refresh token.


Specific name

Instead of using the default strategy.name, you can setup passport-oauth2-refresh to use an specific name instead.

// Setup
passport.use('gmail', googleStrategy);

// To refresh
refresh.requestNewAccessToken('gmail', 'some_refresh_token', done);

This can be useful if you'd like to reuse strategy objects but under a different name.

Additional parameters

Some endpoints require additional parameters to be sent when requesting a new access token. To send these parameters, specify the parameters when calling requestNewAccessToken as follows:

var extraParams = { some: 'extra_param' };
refresh.requestNewAccessToken('gmail', 'some_refresh_token', extraParams, done);


  • See issue #1 for an example of how to refresh a token when requesting data from the Google APIs.


Passport is a library which doesn't deal in implementation-specific details. From the author:

Passport is a library for authenticating requests, and only that. It is not going to get involved in anything that is specific to OAuth, or any other authorization protocol.

Fair enough. Hence, this add-on was born as a way to help deal with refreshing OAuth 2.0 tokens.

It is particularly useful when dealing with Google's OAuth 2.0 implementation, which expires access tokens after 1 hour.