How can I refresh an OAuth2 token? Do I need to wait for the token to Expire? (Patreon API)

I’m trying out OAuth using Patreon’s api. I’ve very new to the OAuth process and had been using Patreon’s Javascript Package to help manage the request for me.

So far I’ve been able to successfully get the token via:

import * as patreon from 'patreon';
const patreonOAuthClient = patreon.oauth(clientId, clientSecret);
patreonOAuthClient.getTokens(oauthGrantCode, redirectURL).then((tokenResponse) => { 
     console.log(tokenResponse);
})

The token I recieve comes out like this:

   // Example Token from getTokens()'s then()-response
   tokenResponse = {
        access_token: "UbHYT3H51GpeYueBeBuvBj1fnEFzv5A5870s_rYeMHo",
        expires_in: 2678400,
        refresh_token: "AP5aAw-gJbVf35tWxQb74rmJJz2MhwIYq660m0jiZQ4",
        scope: "my-campaign pledges-to-me users",
        token_type: "Bearer",
        version: "0.0.1"
    }

In my local server, I’m trying to get refresh token to work so I don’t have to keep asking users permission every month.

Although when I use the refresh token method I get a 400 Bad Request:

patreonOAuthClient.refreshToken(tokenResponse).then(response => {
      console.log(response, 'success!');
}).catch(err => {
      console.log(err, ':(');
});

It’s not shown in the npm documentation but you can find refreshToken() on the github source code of patreon.

According to here in their api documents:

If you wish to get up-to-date information after the token has expired,
a new token may be issued to be used for the following month. To
refresh a token, make a POST request to the token endpoint with a
grant type of refresh_token, as in the example. You may also manually
refresh the token on the appropriate client in your clients page.

So is the reason I’m getting 400 because I need to wait a month to refresh the token or am I just incorrectly implementing the API? I’m hoping someone with more OAuth experience can tell me if we should be doing token refreshes either before or after the token expires?

(If you refresh it before it expires is there a certain way to time an express server to do it before the month expires? As I think it adding a timeout for each token would be really bad for memory).

You can refresh a token at any time, you do not need to wait until it expires. I haven’t used the Javascript library but looking at the documentation I think I can see where you’re going wrong.

The refreshToken method expects a refreshToken string but you’re passing in a tokenResponse object. Pass the refresh_token in directly like this:

patreonOAuthClient.refreshToken(tokenResponse.refresh_token).then(response => {
      console.log(response, 'success!');
}).catch(err => {
      console.log(err, ':(');
});

Regarding refreshing tokens: you probably don’t want to refresh tokens routinely in the background because you need to deal with the possibility that an access token has been expired for another reason, e.g: there’s been a security breach and all tokens have been automatically expired, or the user has revoked your applications access. You would usually do something like:

  1. Store the access token and refresh token together
  2. Make a request to the API using the access token
  3. If the API request fails because the token is expired, then…
  4. Ask the API for a new access token using the refresh token, then…
  5. Store the new access token in place of the expired token
  6. Retry your original request
2 Likes