implement token refresh

[lila]

token refresh is not currently working with flask-dance-fitbit.

token refresh is the ability to seamlessly refresh any expired tokens without requiring the application to re-authenticate the user and re-run the full oauth protocol. Token refresh is supported by many oauth providers, that provide both a token (with expiration), and a refresh_token that is single use.

for example: fitbit supports token refresh using: https://dev.fitbit.com/build/reference/web-api/authorization/refresh-token/

and https://community.fitbit.com/t5/Web-API-Development/How-to-build-Refresh-Token-Flow/m-p/3744205/highlight/true#M10964

I have an open issue with flask-dance looking for some guidance: singingwolfboy/flask-dance#391 (comment)

[lila]

in the requests-oauthlib code, there is this:

for hook in self.compliance_hook["refresh_token_request"]:
   log.debug("Invoking refresh_token_request hook %s.", hook)
   token_url, headers, body = hook(token_url, headers, body)

if i can register a custom complance_hook, then i can set the body and headers based on what fitbit is expecting...

• k

[lila]

here's an example of using automatic refresh tokens with requests-oauthlib.

https://requests-oauthlib.readthedocs.io/en/latest/examples/real_world_example_with_refresh.html

specifically

token = session['oauth_token']

    # We force an expiration by setting expired at in the past.
    # This will trigger an automatic refresh next time we interact with
    # Googles API.
    token['expires_at'] = time() - 10

    extra = {
        'client_id': client_id,
        'client_secret': client_secret,
    }

    def token_updater(token):
        session['oauth_token'] = token

    google = OAuth2Session(client_id,
                           token=token,
                           auto_refresh_kwargs=extra,
                           auto_refresh_url=refresh_url,
                           token_updater=token_updater)

[lila]

hmm... added token expiry, and it really looks like the tokens are being renewed:

When i hit /fitbitexpiretoken:

access token: eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiIyMzhDREoiLCJzdWIiOiI2M05IWkMiLCJpc3MiOiJGaXRiaXQiLCJ0eXAiOiJhY2Nlc3NfdG9rZW4iLCJzY29wZXMiOiJyYWN0IHJwcm8iLCJleHAiOjE2NTQ1NjE2MzcsImlhdCI6MTY1NDUzMjgzN30.weJYnko13djbyJ2jZ3DH9OLvJet3Ge3TrjY9GwBPboI
refresh_token: a81d83ee3c0d20dbb573e44c2b19d656526700c5181f0bbec945d1aba59c35ef
expiration time 1654543853.5550377
             in -10.001423
<Response [200]>
access token: eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiIyMzhDREoiLCJzdWIiOiI2M05IWkMiLCJpc3MiOiJGaXRiaXQiLCJ0eXAiOiJhY2Nlc3NfdG9rZW4iLCJzY29wZXMiOiJyYWN0IHJwcm8iLCJleHAiOjE2NTQ1NzI2NzcsImlhdCI6MTY1NDU0Mzg3N30.fjiIYYEwNFhH1IeRN2sCwk5j82JTcvjJrsbcq--u_Mc
refresh_token: 3e924b221c8cb3500f883935615852006cd3406b2f737a461f4395c67d917a42
expiration time 1654572663.698298
             in 28799.894673
127.0.0.1 - - [06/Jun/2022 19:31:03] "GET /fitbitexpiretoken HTTP/1.1" 200 -

i manually expire the token then issue a get-profile api command. after that the token has been updated with a new refresh token and new expiration.