[GH-ISSUE #217] Refresh OAuth2 access tokens by default in the OAuthSwiftClient

kerem commented

2026-03-03 16:45:52 +03:00

Owner

Originally created by @FGoessler on GitHub (Apr 4, 2016).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/217

@fabiomassimo created a convenience method on OAuth2Swift to automatically refresh the access token in case of a failure for a normal request in #209 which is nice 👍.

I expected this to be the default behaviour of every request made via the OAuthSwiftClient, which seems not to be the case right now.

My suggestion:

Put the logic for the refresh in the OAuthSwiftClient and only execute it for OAuth2 requests.
Which OAuth version is used can be easily extracted from the OAuthSwiftCredential of the client.
Since the convenience method currently requires some other methods which are implemented on OAuth2Swift I would either move them as well, move them to an extension of OAuthSwiftClient in the OAuth2Swift file or transform them to class methods. What is the preferred solution?
Mark the convenience on OAuth2Swift as deprecated and let it just call through to the client. Or even remove the convenience method since no release was made since the introduction of the method and therefore no consumer of this library should be affected.

Any thoughts, comments, considerations, suggestions, ...?

I would start working on a PR then. 😉

Originally created by @FGoessler on GitHub (Apr 4, 2016). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/217 @fabiomassimo created a convenience method on `OAuth2Swift` to automatically refresh the access token in case of a failure for a normal request in #209 which is nice 👍. I expected this to be the default behaviour of every request made via the `OAuthSwiftClient`, which seems not to be the case right now. My suggestion: - Put the logic for the refresh in the `OAuthSwiftClient` and only execute it for OAuth2 requests. - Which OAuth version is used can be easily extracted from the `OAuthSwiftCredential` of the client. - Since the convenience method currently requires some other methods which are implemented on `OAuth2Swift` I would either move them as well, move them to an extension of `OAuthSwiftClient` in the `OAuth2Swift` file or transform them to class methods. What is the preferred solution? - Mark the convenience on `OAuth2Swift` as deprecated and let it just call through to the client. Or even remove the convenience method since no release was made since the introduction of the method and therefore no consumer of this library should be affected. Any thoughts, comments, considerations, suggestions, ...? I would start working on a PR then. 😉

kerem

2026-03-03 16:45:52 +03:00

closed this issue
added the
enhancement
label

kerem commented

2026-03-03 16:45:53 +03:00

Author

Owner

@antwerpenR commented on GitHub (May 3, 2016):

I am trying to get this to work with Meetup.com and it seems that the access token is correctly set in line 83 of authorizeWithCallbackURL but you are not storing the "expires_in" responseParameter. Also, I can find no trace of any possible use of "grant type=refresh-token" and requestOAuthAccessTokenWithParameters on line 160 is never being called. For reference, the Meetup Spec is here: http://www.meetup.com/meetup_api/auth/#oauth2server-auth-success

Am I doing something wrong or is this a bug? It does seem that the token is correct and signing of requests works properly....just no handling of the refresh

@antwerpenR commented on GitHub (May 3, 2016): I am trying to get this to work with Meetup.com and it seems that the access token is correctly set in line 83 of authorizeWithCallbackURL but you are not storing the "expires_in" responseParameter. Also, I can find no trace of any possible use of "grant type=refresh-token" and requestOAuthAccessTokenWithParameters on line 160 is never being called. For reference, the Meetup Spec is here: http://www.meetup.com/meetup_api/auth/#oauth2server-auth-success Am I doing something wrong or is this a bug? It does seem that the token is correct and signing of requests works properly....just no handling of the refresh

kerem commented

2026-03-03 16:45:53 +03:00

Author

Owner

@antwerpenR commented on GitHub (May 3, 2016):

I think the solution may just be to store the "expires_in" at the same time that you store the token. Inserting these lines: 85, 86 and 87.
if let expiresIn:String = responseParameters["expires_in"], offset = Double(expiresIn) {
self.client.credential.oauth_token_expires_at = NSDate(timeInterval: offset, sinceDate: NSDate())
}

@antwerpenR commented on GitHub (May 3, 2016): I think the solution may just be to store the "expires_in" at the same time that you store the token. Inserting these lines: 85, 86 and 87. if let expiresIn:String = responseParameters["expires_in"], offset = Double(expiresIn) { self.client.credential.oauth_token_expires_at = NSDate(timeInterval: offset, sinceDate: NSDate()) }

kerem commented

2026-03-03 16:45:53 +03:00

Author

Owner

@FGoessler commented on GitHub (May 4, 2016):

I assume you're using the current version on master, right?

The expires in value is actually stored in the requestOAuthAccessTokenWithParameters method.

To have this automatic refresh token renewal you need to use the special method startAuthorizedRequest(...) on the OAuth2Swift object for every request which should check for token renewal. It's currently not handled "transparently" for all request (e.g. if you do them via the GET(...) convenience methods on the OAuthSwiftClient) - this is what this issue and my PR aim for, but the work there is not finished yet and I wouldn't rely on it yet.

@FGoessler commented on GitHub (May 4, 2016): I assume you're using the current version on master, right? The expires in value is actually stored in the `requestOAuthAccessTokenWithParameters` method. To have this automatic refresh token renewal you need to use the special method `startAuthorizedRequest(...)` on the OAuth2Swift object for every request which should check for token renewal. It's currently not handled "transparently" for all request (e.g. if you do them via the GET(...) convenience methods on the OAuthSwiftClient) - this is what this issue and my PR aim for, but the work there is not finished yet and I wouldn't rely on it yet.

kerem commented

2026-03-03 16:45:53 +03:00

Author

Owner

@antwerpenR commented on GitHub (May 4, 2016):

Yes - I am on Master latest version.

I use oauthswift.authorizeWithCallbackURL(

  NSURL(string: redirectURL)!,...

(successfully) to get an access token which works....but I see that
"expires in" is not stored.

I then use

oauthswift.startAuthorizedRequest(requiredURL, method: .GET, parameters:...

to (successfully) sign requests and fetch data...and this works for one
hour until the token expires. At that time I get a return saying "invalid
credentials". If I do modify the code to store "expires in" then I get
and error return "expired token" when it expires.....what should I do then
to do a refresh without needing authorisation again?

Thanks for your help...!

Roger Price

On Wed, May 4, 2016 at 7:54 PM, Florian Gößler notifications@github.com
wrote:

I assume you're using the current version on master, right?

The expires in value is actually stored in the
requestOAuthAccessTokenWithParameters method.

To have this automatic refresh token renewal you need to use the special
method startAuthorizedRequest(...) on the OAuth2Swift object for every
request which should check for token renewal. It's currently not handled
"transparently" for all request (e.g. if you do them via the GET(...)
convenience methods on the OAuthSwiftClient) - this is what this issue and
my PR aim for, but the work there is not finished yet and I wouldn't rely
on it yet.

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
https://github.com/OAuthSwift/OAuthSwift/issues/217#issuecomment-216838478

@antwerpenR commented on GitHub (May 4, 2016): Yes - I am on Master latest version. I use oauthswift.authorizeWithCallbackURL( ``` NSURL(string: redirectURL)!,... ``` (successfully) to get an access token which works....but I see that "expires in" is not stored. I then use oauthswift.startAuthorizedRequest(requiredURL, method: .GET, parameters:... to (successfully) sign requests and fetch data...and this works for one hour until the token expires. At that time I get a return saying "invalid credentials". If I do modify the code to store "expires in" then I get and error return "expired token" when it expires.....what should I do then to do a refresh without needing authorisation again? Thanks for your help...! Roger Price On Wed, May 4, 2016 at 7:54 PM, Florian Gößler notifications@github.com wrote: > I assume you're using the current version on master, right? > > The expires in value is actually stored in the > requestOAuthAccessTokenWithParameters method. > > To have this automatic refresh token renewal you need to use the special > method startAuthorizedRequest(...) on the OAuth2Swift object for every > request which should check for token renewal. It's currently not handled > "transparently" for all request (e.g. if you do them via the GET(...) > convenience methods on the OAuthSwiftClient) - this is what this issue and > my PR aim for, but the work there is not finished yet and I wouldn't rely > on it yet. > > — > You are receiving this because you commented. > Reply to this email directly or view it on GitHub > https://github.com/OAuthSwift/OAuthSwift/issues/217#issuecomment-216838478

kerem commented

2026-03-03 16:45:53 +03:00

Author

Owner

@antwerpenR commented on GitHub (May 5, 2016):

Problem solved.

I had copied the code from the Documentation page which uses "responseType
= "token" in the initialisation of the oauthswift object.

I went back and modified your demo application to add Meetup.com and it
worked perfectly. Then I noticed that you need to use "responseType =
"code" to get your initial token properly. This causes the flow to work
properly and the refresh token and expiry times come back and do get stored
properly.

Hope I did not cause too much trouble and this clarification may help
others.

Roger Price

@antwerpenR commented on GitHub (May 5, 2016): Problem solved. I had copied the code from the Documentation page which uses "responseType = "token" in the initialisation of the oauthswift object. I went back and modified your demo application to add Meetup.com and it worked perfectly. Then I noticed that you need to use "responseType = "code" to get your initial token properly. This causes the flow to work properly and the refresh token and expiry times come back and do get stored properly. Hope I did not cause too much trouble and this clarification may help others. Roger Price

kerem commented

2026-03-03 16:45:53 +03:00

Author

Owner

@Timac commented on GitHub (May 12, 2020):

The PR #596 proposes a solution:

that makes OAuthSwift automatically refresh access tokens when they expire
which is opt-in by providing one simple convenient method
containing the minimum amount of changes needed to avoid to break existing apps

@Timac commented on GitHub (May 12, 2020): The PR #596 proposes a solution: - that makes OAuthSwift automatically refresh access tokens when they expire - which is opt-in by providing one simple convenient method - containing the minimum amount of changes needed to avoid to break existing apps

kerem commented

2026-03-03 16:45:53 +03:00

Author

Owner

@phatblat commented on GitHub (May 18, 2021):

Added in #596

@phatblat commented on GitHub (May 18, 2021): Added in #596

Rows
Columns

[GH-ISSUE #217] Refresh OAuth2 access tokens by default in the OAuthSwiftClient #122