Refresh token lost on renewal

[ghost]

Hello,

The refresh token is lost when used to renew the access token and no refresh token is sent with the access token.

Library needs to include the previous (Current) refresh token with the new access token if no new refresh token is provided.

[ramsey]

Can you provide more information?

If you're encountering a problem with the refresh token or access token, can you show some snippets of code and explain what you're expecting to happen and what is actually happening?

If you're proposing a feature, can you show some example code to illustrate what you're proposing?

Thanks!

[ChrisThompsonTLDR]

I'm having the same issue. The refresh token is lost after the first refresh.

$accessToken = cache('accessToken');

if ($accessToken->hasExpired()) {
    $reddit = new Reddit([
        'clientId'      => 'myid',
        'clientSecret'  => 'mysecret',
        'redirectUri'   => 'http://mydomain.com/callback',
        'userAgent'     => 'laravel:athing:0.1, (by /u/me)',
    ]);

    try {
        $newToken = $reddit->getAccessToken('refresh_token', [
            'refresh_token' => $accessToken->getRefreshToken(),
        ]);
    } catch (Exception $e) {
        dd($e->getMessage());
    }

    Cache::forever('accessTokenOld', $accessToken);

    Cache::forever('accessToken', $newToken);
}

After the first refresh, the accessToken looks like

League\OAuth2\Client\Token\AccessToken Object
(
    [accessToken:protected] => jkfldajsfd90r93j2fjDKL
    [expires:protected] => 1520698853
    [refreshToken:protected] => 
    [resourceOwnerId:protected] => 
    [values:protected] => Array
        (
            [token_type] => bearer
            [device_id] => None
            [scope] => modposts read submit
        )

)

The initial/first accessToken looks like this (I moved it to another cache key)

League\OAuth2\Client\Token\AccessToken Object
(
    [accessToken:protected] => jdf()9fJDFkvljf390290sdf
    [expires:protected] => 1520694920
    [refreshToken:protected] => 5639954-IF(d0sjfi032jilsajfd90
    [resourceOwnerId:protected] => 
    [values:protected] => Array
        (
            [token_type] => bearer
            [scope] => modposts read submit
        )

)

The new/second/refreshed accessToken no longer has a refreshToken. This means the first refresh works, they second refresh will not work because the accessToken lost its refreshToken.

[ChrisThompsonTLDR]

This ticket can probably be closed. My issue was related to the Reddit client https://github.com/rtheunissen/oauth2-reddit. The userAgent isn't being properly set by the client. Used Guzzle instead and it works fine.

[ghost]

This was initially a proposal for a new feature which I didn't communicate very well.

Some API's use the same, original refresh token that you receive on the first request for every subsequent request, while other APIs give you a new refresh token and invalidate the old one every time you request a new access token.

It would be much more convenient and easier to use / implement if this library always included the refresh token when requesting an access token, if the API you're connecting to does generate a new refresh token, that's included, if not, the previous (Current) request token is included instead.

[stevenbrookes]

Agreed, I just came across the same issue using the Vend API. I can fix up in my code, but it would be far safer to do it in this library. Would you like a pull request?

[ramsey]

@stevenbrookes Feel free to submit a pull request for this feature.

[awm086]

I ran into this issue with with google. The response from google when requesting a new token using a refresh token does not include a new refresh token. Google's advise to store the refresh token in permanent storage and use it with new requests.

I had to change my storage mechanism to keep the refresh token intact with every request unless explicitly returned from the response. I wonder what's the best practice to do so using oauth2 client.