You need to sign in to do that
Don't have an account?
Generic 401 without "expired_token" error reported
Hi.
I have implemented a client that uses oauth2, storing the access token and the refresh token. It works fine and also refresh operation works, but if the access token expires I expect a specific error message so I can handle the problem refreshing the token.
As of Oauth2 reference documentation
http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4
when a request is done with an expired token, the header of the answer should report a "expired_token" error.
Actually the Salesforce implementation returns a generic 401 error is returned without additional header information so is not possible to check for the specific error and try to refresh the token with the stored refresh token.
The Spring Oauth2 default implementation expect this as of spring-security-oauth, in
DefaultOAuth2SerializationService.deserializeError()
this is also as discussed here:
http://forum.springsource.org/showthread.php?p=333915#post333915
Another related problem is that the expires_on parameter is not returned when the access token is provided at first instance, as discusse on this board here:
Thanks.
I agree these are important issues to be addressed.
1. we should have a specific "expired_token" error.
2. we should have "expires_on" returned when the token is issued
... "issued_at" is not enough, since token expiration is a setting that can be changed
The current "workaround" solution is not elegant:
- if a request fails with 401 status code, try to re-authenticate (once), hoping it was an expired token
The superior solution is:
- check the cached "expires_on" to see if token should still be valid, ... re-authenticate if necessary
- if a request fails with 401 status code, there should be an explicit "expired_token" error, or else another equally specific diagnostic
-- David Jones
http://dxjones.com
Hey all...
We're examining the expired_token error.
In regards to expires_on, we probably won't support this, as the sessions have sliding windows, and hence it's not really viable to check a expires_on value and have it mean much besides a hint. Supporting the expired_token error would of course make this easier.
-cmort