function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
davide.turchettidavide.turchetti 

Generic 401 without "expired_token" error reported

Hi.

 

I have implemented a client that uses oauth2, storing the access token and the refresh token. It works fine and also refresh operation works, but if the access token expires I expect a specific error message so I can handle the problem refreshing the token.

 

As of Oauth2 reference documentation

http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4

when a request is done with an expired token, the header of the answer should report a "expired_token" error.

 

Actually the Salesforce implementation returns a generic 401 error is returned without additional header information so is not possible to check for the specific error and try to refresh the token with the stored refresh token.

 

The Spring Oauth2 default implementation expect this as of  spring-security-oauth, in

DefaultOAuth2SerializationService.deserializeError()

this is also as discussed here:

http://forum.springsource.org/showthread.php?p=333915#post333915

 

Another related problem is that the expires_on parameter is not returned when the access token is provided at first instance, as discusse on this board here:

http://boards.developerforce.com/t5/REST-API-Integration/OAuth-2-0-User-Agent-flow-doesn-t-return-expires-on/m-p/223323

 

Thanks.

dxjonesdxjones

I agree these are important issues to be addressed.

 

1. we should have a specific "expired_token" error.

2. we should have "expires_on" returned when the token is issued

... "issued_at" is not enough, since token expiration is a setting that can be changed

 

The current "workaround" solution is not elegant:

- if a request fails with 401 status code, try to re-authenticate (once), hoping it was an expired token

 

The superior solution is:

- check the cached "expires_on" to see if token should still be valid, ... re-authenticate if necessary

- if a request fails with 401 status code, there should be an explicit "expired_token" error, or else another equally specific diagnostic

 

-- David Jones

http://dxjones.com

 

 
chuckmortimorechuckmortimore

Hey all...

 

We're examining the expired_token error.  

 

In regards to expires_on, we probably won't support this, as the sessions have sliding windows, and hence it's not really viable to check a expires_on value and have it mean much besides a hint.    Supporting the expired_token error would of course make this easier.   

 

-cmort