Refresh token auto renewal

Hello,

I am trying to renew the refresh token,

When it expires, I need to go through

1- Get “code” by creating this request

GET 'https://id.twitch.tv/oauth2/authorize?response_type=code&client_id=uo6dggojyb8d6soh92zknwmi5ej1q2&redirect_uri=http://localhost&scope=viewing_activity_read&state=c3ab8aa609ea11e793ae92361f002671'

2- Get refresh token by creating this request

POST https://id.twitch.tv/oauth2/token
    ?client_id=<your client ID>
    &client_secret=<your client secret>
    &code=<authorization code received above>
    &grant_type=authorization_code
    &redirect_uri=<your registered redirect URI>

3- I keep renewing the access token by


https://id.twitch.tv/oauth2/token?grant_type=refresh_token&refresh_token=xxxx&client_id=xxxx&client_secret=xxxx

and I keep storing the refresh token that is returned along with access token for reuse.

4- after a couple of months, the refresh token is no longer valid, and I need to repeat these steps again.

so, is there a good way to automate this?,

for example, I’m trying to take authentication GET request out of these steps to be able to automate it.

Any help will be greatly appreciated,

Thank you

Something else occurred to invalidate the set of tokens.

Assuming you loop step 3 when the token dies.

Then you have something else going on killing the token set.

As what you are doing is correct

Thank you for your response,

My guess was that, in between the period it takes to renew the access token, the refresh token expired,

I try to show what I think in the following example :

1-All good __________2- All good__________3- All good____RTexpired___4- “Invalid refresh token” ( not all good anymore )

Do refresh tokens expire that way ?

Cheers

Refresh Tokens don’t have an expiry attached to them.

You already said you are storing the new refresh token.

So you have something else going on that is causing the token and it’s refresh token to be dead.

As you should be able to keep refreshing forever!

Either the user did something like

  • disconnect the app,
  • reset their password,
  • generated 25 tokens, and the 26th token killed the first in the list. (Generating could be logging into your application for example, and not revoking as you go)

(Generating 25 tokens doesn’t mean refreshing, it’s 25 token/refresh token pairs)

1 Like

That’s brilliant,

POST
https://id.twitch.tv/oauth2/token?grant_type=refresh_token&refresh_token=xxxx&client_id=xxxx&client_secret=xxxx

By making this request I get the same refresh token each time ( I send refresh_token=xxxx and I get refresh_token=xxxx ), and that’s where I store it, it doesn’t make sense to me to store it since it’s the same each time, but I read that I may get a different one so I need to store it again and again.

If the refresh token I send/get at this request does not expire, then as you said there must be something else that happened.

Many thanks

Yup, you might get a new one, you might not, so I always grab and store myself

Okay, that sounds great.

Many thanks, much appreciated.

I have just noticed, we changed the password around the time the error happened, do you think this maybe the reason ?

yup password resets can cause app dissconnections.

Usually thats more “password reset routine” than a regular reset.

But it’s been known to occur

1 Like