Refreshed token doesn’t include refresh_token

[sallar]

This function uses refresh_token property to send the refresh request:

function refresh(callback) {
  var params = { grant_type: 'refresh_token', refresh_token: this.token.refresh_token };
  var that = this;

  return core.api('POST', config.tokenPath, params).then(this.create).nodeify(callback);
}

But when the response comes back it calls: this.create which doesn’t preserve the refresh_token property. Many OAuth servers don’t send back the refresh_token property after refreshing the token. They only send back the access token itself.

As a result, refresh functionality works only once.

[jonathansamines]

Hi! I was looking into this, but from my understanding when refreshing a token the OAuth2 server have to return a new refresh_token, without it there isn´t way to refresh the token again, like happened to you. What do you expect to happen if the refresh_token isn´t returned?

[sallar]

Some oAuth servers don’t return new tokens, they just expect the previous token to be used for refreshing. In that case the code stops working. Thanks.

[jonathansamines]

Hi @sallar I just looked at the OAuth specs, and it´s not clear to me that the behaviour you described is the expected one. Like you said the refresh token is optional, but the spec is not clear about if we should send the old refresh token in those cases. Do you have a better understanding of that behaviour?

[sallar]

@jonathansamines Hi :) We have an oAuth server at work. The first time we get access_token we get refresh_token alongside with it, and we have to resend that token on every request after the first one, because those request never send back a refresh_token. So we have to keep that somewhere for re-using. Thanks!

[jonathansamines]

Thanks, i´ll take a look at this issue then.