iosoauth-2.0oauthreddit

How do refresh tokens work in an OAuth flow?


I'm working with the Reddit API, which uses OAuth to authenticate users for the API.

The APIs for their OAuth mention that essentially you present the user with a webpage, and after they grant approval they're redirected back to your application which is given a code. You can then take this code and make a request to the API to be given an access token which you can store.

With the Reddit API specifically you can set a duration, either temporary or permanent. With permanent, it seemingly seems you need to restore a "refresh token" received alongside the above access token, as the access token will expire every hour, and the refresh token will allow you to be granted a new access token.

Am I correct in understanding this? What is the point of the "permanent" request if hourly it expires? Furthermore, how do I track this in an application sense? Do I set a timer for an hour after the initial token to request a new one? What if the app is closed, do I write the last request time to disk, check if it's been more than an hour, and refresh it otherwise?

Am I understanding refresh tokens properly and they have to be managed this... manually?


Solution

  • Am I correct in understanding this?

    What is the point of the "permanent" request if hourly it expires?

    Furthermore, how do I track this in an application sense?

    You could do a timer or as Wain said, just "refresh on failure".

    What if the app is closed, do I write the last request time to disk, check if it's been more than an hour, and refresh it otherwise?

    Yes or use the "refresh on failure" approach.