[Question] How to manually refresh tokens

[jonsgreen]

Forgive me for my ignorance here as I am still trying to learn how this library works.

We are using your library in an application with a React front end and Rails api backend using doorkeeper with the token expiration set to 1 hour. We have a situation where sometimes the background token refresh fails to happen and so the stored token has become stale and so api requests to our backend fail. The token would refresh if requested but unfortunately it won't happen in the background automatically for up to an hour.

Is there a simple way to catch the api error and manually make a call to refresh the token using your library. I am seeing that the refreshAccessToken function is not exposed in the AuthContext and I am guessing that is intentional.

I am going to keep exploring on my own and will close this issue myself if I figure it out but I thought I would post it in case the maintainers of the library can save me some time and point me in the right direction.

Thanks!

[sebastianvitterso]

What we often do as a "hack" when testing new functionality, is to just set the token expiration to 0 (basically jan 1st 1970).

So you could write a simple function like:

function triggerTokenRefresh() {
  window.localStorage.setItem("ROCP_tokenExpire", 0)
}

Note that this won't make it trigger immediately, but at some time within the next 15 seconds.

---

Otherwise, as most other libraries, the main functionality is built to "depend" on other components working as intended, so I don't see us exposing the refresh-function any time soon.

[jonsgreen]

@sebastianvitterso thanks so much for responding to my question so quickly and converting this to a discussion.

My sense is that our scenario must be pretty common and so I am guessing we must be not configuring our application in a proper way and I am wondering if someone could point us in the right direction.

To explain again we are doing a get request on the root page of our React app. You need to be authenticated in order to access that page and so far we just check that there is a token in localStorage needed for the request. If someone has closed their tabs and then returns after the expiry time for the token then we get a 401. The token then refreshes and repairs itself in the next 15 seconds or so like you suggest but it creates a bad initial experience for the user.

I am curious how you or others would suggest handling this scenario more gracefully. Should we be checking ourselves whether the token is expired before making the api request? Is there some kind of configuration that we are missing?

I still feel like it would be helpful if we could "manually" refresh the token if we get a 401 response and not have to wait the interval for the refresh to happen in the background. We would be happy to contribute to a PR if that seems like it would be a valid, reasonable feature that the library wants to support.

Let me know if any of this is unclear. Thanks again for the help!

[jonsgreen]

Also, I am really curious about how I can publish the dist folder locally so that I can test changes locally to try things out.

[sebastianvitterso]

What do you mean by "publish the dist folder", in this context?
If you'd like to run the library locally, read the "Develop" section of the readme. It's fairly simple to get started. 😄

Good luck!

[Ma-ve]

Heya @jonsgreen - did you ever figure out an alternative?

[soofstad]

You should verify that the token_expire, and refresh_token_expire values are returned from the auth server, and are set in localStorage.
And also you should implement the onRefreshTokenExpire-callback function.
Have a look in https://github.com/soofstad/react-oauth2-pkce?tab=readme-ov-file#configuration-parameters to see what parameters you might need to set.
To debug any further, it would be interesting to see the /token-responses you receive.

[Ma-ve]

@soofstad

To piggyback off of this: how about the situation where the access token is valid for 24 hours, and the refresh token is valid for 30 days. Say you log in at at Monday, 10:00. You leave the page, and you don't back, until Tuesday 11:00. You open a new tab, and the access token has expired. The first API call that happens, a simple /me call, fails, because of a 401 Unauthorized.

Wouldn't it make sense to call the refreshAccessToken() in that case?

Or, another case: if someone has revoked existing sessions/authorizations, by changing their password, so the API calls would return 401. Their refresh token would have been revoked too, but that's absolutely fine, as the refreshAccessToken does a logIn because of config.autoLogin.

Am I missing something, or would these be legitimate use cases that are not covered right now?

[soofstad]

Interesting. Would you mind creating a new issue for this?
And please add you configuration and minimum code to reproduce the bug

[hridaya2004]

Interesting. Would you mind creating a new issue for this? And please add you configuration and minimum code to reproduce the bug

Done. #227

[bhattadp]

Because there is no need. token refresh happens automatically, and if you need a full login, logIn() is exported. Just exporting everything from the package, and have users patch their own buggy solutions together is not the way to go.

@soofstad

We need a manual refresh token mechanism because when a 401 error occurs, the access token gets invalidated without the client being aware. As a result, the client UI loses its session state if we explicitly call logIn(), leading to a poor user experience—especially when a user is in the middle of an action and is suddenly prompted to log in again.

Having an on-demand refresh token allows us to seamlessly recover the session and avoid unexpected logouts, ensuring a smoother and more reliable user experience.
We would like to have a new method, which does not check any token expiry, just renews the token without UI having any impact on its current state or refresh..

Would it be possible, we can raise the PR..

[anijoeroy]

I agree with what @bhattadp explained about how the library currently handles token refresh automatically and why a manual refreshAccessToken() API isn’t exposed today — that approach makes sense from a standard OAuth2/PKCE design perspective.

That said, I wanted to add some context from embedded and long-running application scenarios. In these environments, there are cases where an access token can become invalid unexpectedly — for example, when certificates are renewed, during long idle periods, browser tab suspension, or when storage is cleared.

When this happens, forcing a full re-login can negatively impact the user experience, especially when users are actively working in the application. From a UX standpoint, having the ability to manually trigger a token refresh instead of redirecting to login would allow the application to recover more gracefully and keep users in flow.

Thanks @bhattadp for the explanation and context — really appreciate it.

[soofstad]

@bhattadp
Access token revocation, along with "wake-from-sleep", I think are valid cases where calling "refreshAccessToken()" manually might make sense.

That being said, I think token revocation is a very exotic edge case, since most of the time when a token is revoked, the refresh token will be revoked as well. Leaving "logIn()" as the only option.

And in regards to losing UI state on a full login, that you can solve by calling logIn(loginMethod='popup')(pseudo code).

But I see some cases where having the option to call "refreshAccessToken" manually can be useful. Will get it added 🙂

[soofstad]

@jonsgreen
The option to manually refresh access tokens has now been added in version 1.24.0.
We also modified the check for expired tokens, so when the javascript thread "wake-from-sleep" it will catch and refresh the token almost immediately (as opposed to "within 15sec").

A quick example:

  const { token, refreshAccessToken } = useAuthContext()

  return (
    <>
      <button onClick={() => refreshAccessToken()
          .catch((err) => alert(`Failed to refresh access token: ${err.message}`)
        )}>
        Refresh access token
      </button>
    </>
  )