How can I refresh an OAuth2 token? Do I need to wait for the token to Expire? (Patreon API)

I’m trying out OAuth using Patreon’s api. I’ve very new to the OAuth process and had been using Patreon’s Javascript Package to help manage the request for me.

• NPM: patreon - npm
• Patreon Documentation: API Reference

So far I’ve been able to successfully get the token via:

import * as patreon from 'patreon';
const patreonOAuthClient = patreon.oauth(clientId, clientSecret);
patreonOAuthClient.getTokens(oauthGrantCode, redirectURL).then((tokenResponse) => { 
     console.log(tokenResponse);
})

The token I recieve comes out like this:

   // Example Token from getTokens()'s then()-response
   tokenResponse = {
        access_token: "UbHYT3H51GpeYueBeBuvBj1fnEFzv5A5870s_rYeMHo",
        expires_in: 2678400,
        refresh_token: "AP5aAw-gJbVf35tWxQb74rmJJz2MhwIYq660m0jiZQ4",
        scope: "my-campaign pledges-to-me users",
        token_type: "Bearer",
        version: "0.0.1"
    }

In my local server, I’m trying to get refresh token to work so I don’t have to keep asking users permission every month.

Although when I use the refresh token method I get a 400 Bad Request:

patreonOAuthClient.refreshToken(tokenResponse).then(response => {
      console.log(response, 'success!');
}).catch(err => {
      console.log(err, ':(');
});

It’s not shown in the npm documentation but you can find refreshToken() on the github source code of patreon.

According to here in their api documents:

If you wish to get up-to-date information after the token has expired,
a new token may be issued to be used for the following month. To
refresh a token, make a POST request to the token endpoint with a
grant type of refresh_token, as in the example. You may also manually
refresh the token on the appropriate client in your clients page.

So is the reason I’m getting 400 because I need to wait a month to refresh the token or am I just incorrectly implementing the API? I’m hoping someone with more OAuth experience can tell me if we should be doing token refreshes either before or after the token expires?

(If you refresh it before it expires is there a certain way to time an express server to do it before the month expires? As I think it adding a timeout for each token would be really bad for memory).

You can refresh a token at any time, you do not need to wait until it expires. I haven’t used the Javascript library but looking at the documentation I think I can see where you’re going wrong.

The refreshToken method expects a refreshToken string but you’re passing in a tokenResponse object. Pass the refresh_token in directly like this:

patreonOAuthClient.refreshToken(tokenResponse.refresh_token).then(response => {
      console.log(response, 'success!');
}).catch(err => {
      console.log(err, ':(');
});

Regarding refreshing tokens: you probably don’t want to refresh tokens routinely in the background because you need to deal with the possibility that an access token has been expired for another reason, e.g: there’s been a security breach and all tokens have been automatically expired, or the user has revoked your applications access. You would usually do something like:

1. Store the access token and refresh token together
2. Make a request to the API using the access token
3. If the API request fails because the token is expired, then…
4. Ask the API for a new access token using the refresh token, then…
5. Store the new access token in place of the expired token
6. Retry your original request

How do you check that an API request failed exactly because of this reason? I’m using the PHP Patreon package and figuring out when exactly to refresh the token, but the samples in the docs don’t talk much about this except in one vague example here (API Reference)

When you get a token through the auth code, the expiration date of the token should already be in the return. You can use that date to refresh the token using the refresh token before that date.

Right now that’s what I’m doing, just checking if the expiration time is soon to run out and running a refresh if so. Is it certain that the token can not be invalidated in any other way except when its expiration date is reached?

No, you should assume that the tokens could be invalidated at any time whatsoever reason, and have your application have the users re-connect their Patreon accounts through your oauth flow whenever your application detects that a token is invalid or a call with a token is getting unauthorized response.