OAuth2 check token validity / trigger refresh from plugin

[mstilkerich]

Hello,

I have added support to the rcmcarddav plugin to allow using the access token acquired by roundcube to authenticate with CardDAV servers. Now I noticed that when I stay inside the addressbook task for a couple of minutes, the access token expires and I start getting connection errors. Looking at the code of roundcube, the token refresh is triggered upon connection to the imap, smtp, or managesieve services. I guess none of those is invoked while in the addressbook task. However, the check_token_validity function is protected, so I cannot call it from rcmcarddav. I could call one of the hook functions like rcmail_oauth::storage_init(), but that would be a hack.

What is the suggested method to trigger the token refresh if needed from a plugin? Even for managesieve, which is a plugin, the refresh is hard coded into the roundcube core, not part of the plugin code.

[alecpl]

I suppose we should do a refresh in ready or refresh hook.

[thomascube]

Now also checking/refreshing access token in refresh hook.

[resposit]

Hello,
I don't quite understand when the refresh hook is triggered.
In my setup (keycloak idp), access token expires in 15min, refresh token expires in 30min and SSO max time is 10 hours.
On my RC1.5.2 I'm seeing:

<rgbd5a25> PHP Error: OAuth refresh token request failed: Client error: `POST https://<keycloak-url>/auth/realms/<my-realm>/protocol/openid-connect/token` resulted in a `400 Bad Request` response:
{"error":"invalid_grant","error_description":"Refresh token expired"}

I guess this happens if the user leaves the browser session idle for more than 30min... is that correct ?
Is there a way to force the refresh in background (while user is idle..) or to automatically redirect user to the login page when refresh token expires (instead of displaying an error) ?

Thanks