I'm implementing a custom strategy for one provider I need to integrate with, and they do not return the expiration of the token, I know that this is a bad practice but it's their implementation. They do return a refresh_token so I can update the token if I want, but because of this code, the refresh_token is only read if the expiration is set:
|
hash["refresh_token"] = access_token.refresh_token if access_token.expires? && access_token.refresh_token |
I was reading the OAuth RFC, and noticed that the expiration is recommended, but not required: https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
I can send a patch to change this, but I'm wondering if this might break something or if I should add an option for this behavior, any advice?
For now, I did a hack on my strategy to set the expiration to an arbitrary value and it solved the issue for me:
option :auth_token_params, { expires_at: 100.years.from_now }
I'm implementing a custom strategy for one provider I need to integrate with, and they do not return the expiration of the token, I know that this is a bad practice but it's their implementation. They do return a
refresh_tokenso I can update the token if I want, but because of this code, therefresh_tokenis only read if the expiration is set:omniauth-oauth2/lib/omniauth/strategies/oauth2.rb
Line 52 in 8438b89
I was reading the OAuth RFC, and noticed that the expiration is recommended, but not required: https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
I can send a patch to change this, but I'm wondering if this might break something or if I should add an option for this behavior, any advice?
For now, I did a hack on my strategy to set the expiration to an arbitrary value and it solved the issue for me: