shindig-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Matthews <>
Subject Expected behavior when OAuth2 access token expires and no refresh token was given
Date Tue, 17 Jan 2012 20:18:02 GMT

I'm testing our OAuth2 consumer implementation with Shindig's
oauth2_google.xml gadget. Google is sending an access token (and no refresh
token) and everything works until that access token expires. When that
access token expires, what is the expected behavior?

Should Shindig attempt to request a new access token? I suspect updating the
query used in our OAuth2Persister implementation to only return non-expired
tokens would fix the issue for expired access tokens.  However, that same
API call on OAuth2Persister is used to return refresh tokens and I'm not
sure what effect this would have on Shindig's refresh token flow.

Should the gadget detect the HTTP 401 returned by the authorization server
and display the OAuth2 popup dialog that redirects the user to the OAuth2
provider's authorization endpoint?  The one issue I see with doing this is
that the JSON response from Shindig has an empty oauthApprovalUrl property
which would prevent the gadget from sending the user to the authorization
URL to get a new token.  If the authorization server sends back a HTTP 401,
should the oauthApprovalUrl be assigned so that the gadget can forward the
user to the providerĀ¹s authorization endpoint?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message