-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Broader assumptions on failed refresh requests #38
Comments
I'm gonna vote against a general 40x check at least. A 404 should not happen if the refresh token being expired, and the same applies to 403. I'll accept arguments that 401 might be ok, since technically you're no longer authenticated when this happens, but a 400 makes much more sense. Still... we're working with a plethora of OAuth-providers, so maybe we can start with 400 and see if anyone creates issues that their providers uses 40x, and then add one by one? |
@soofstad Side question related to expiry of tokens : I don't see anything in the documentation regarding options to refresh tokens on expiry. How do we check if a token is expired/valid or renew it when required? PS : Thank you for this simple and effective package. :) |
@prabhurajshell You should not have to check for expiry, nor do a manual refresh. |
Failed refresh requests are not always identified to be caused by an expired refresh_token.
The way this is handled today is too brittle, and requires manually maintaining a list of known error responses from all possible authentication servers.
Suggestion:
Make a broader assumption like if the refresh request fails with a "400" (40x?) status code, that it's caused by an expired refresh_token.
The text was updated successfully, but these errors were encountered: