Hello, I'm testing our OAuth2 consumer implementation with Shindig's oauth2_google.xml gadget. Google is sending an access token (and no refresh token) and everything works until that access token expires. When that access token expires, what is the expected behavior?
Should Shindig attempt to request a new access token? I suspect updating the query used in our OAuth2Persister implementation to only return non-expired tokens would fix the issue for expired access tokens. However, that same API call on OAuth2Persister is used to return refresh tokens and I'm not sure what effect this would have on Shindig's refresh token flow. Should the gadget detect the HTTP 401 returned by the authorization server and display the OAuth2 popup dialog that redirects the user to the OAuth2 provider's authorization endpoint? The one issue I see with doing this is that the JSON response from Shindig has an empty oauthApprovalUrl property which would prevent the gadget from sending the user to the authorization URL to get a new token. If the authorization server sends back a HTTP 401, should the oauthApprovalUrl be assigned so that the gadget can forward the user to the providerĀ¹s authorization endpoint? Thanks Mike