You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Refresh expired access tokens using the stored refresh token
resolve_token now redeems the persisted refresh_token via the OAuth2 refresh_token grant when the stored access token is expired or within a short skew window, then writes the new token back to the keyring. It falls back to the previous AUTH_TOKEN_EXPIRED behaviour only when no refresh token is available or the refresh is rejected. resolve_token is now async, so all call sites await it.
Copy file name to clipboardExpand all lines: CHANGELOG.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,11 @@
1
1
# Changelog
2
2
3
+
## Unreleased
4
+
5
+
### Added
6
+
7
+
- Automatic refresh-token redemption. When the stored access token is expired (or within a short skew window of expiring), the CLI now silently exchanges the persisted `refresh_token` for a fresh access token via the OAuth2 `refresh_token` grant and updates the keyring, instead of failing with `AUTH_TOKEN_EXPIRED` roughly an hour after login. The previous re-login behaviour remains as a fallback when no refresh token is stored or the refresh request is rejected. This resolves the standing "automatic refresh-token handling" known limitation (#16).
Copy file name to clipboardExpand all lines: docs/faq.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -63,7 +63,7 @@ Teams/Graph can list chats that later fail message reads because the user is no
63
63
64
64
## Why did I get `AUTH_TOKEN_EXPIRED`?
65
65
66
-
The stored access token expired. The CLI requests `offline_access`, but automatic refresh-token handling is still a release-readiness gap. Run:
66
+
The CLI automatically refreshes an expired access token using the stored refresh token (login requests `offline_access`), so this should be rare. You will still see `AUTH_TOKEN_EXPIRED` when no refreshtoken is stored or the refresh is rejected — for example the refresh token itself expired or was revoked. In that case, re-authenticate:
Copy file name to clipboardExpand all lines: docs/troubleshooting.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,16 +18,16 @@ RUST_LOG=teams=debug teams chat list --output json
18
18
19
19
## `AUTH_TOKEN_EXPIRED`
20
20
21
-
Meaning: the keyring token is expired.
21
+
Meaning: the keyring access token is expired and could not be refreshed automatically.
22
22
23
-
Current workaround:
23
+
The CLI now silently redeems the stored refresh token when the access token is expired or about to expire, so this error normally only appears when no refresh token is stored or the refresh request is rejected (for example the refresh token expired or was revoked).
24
+
25
+
Resolution:
24
26
25
27
```bash
26
28
teams auth login --device-code
27
29
```
28
30
29
-
Release-readiness note: automatic refresh-token handling still needs to be completed and validated.
0 commit comments