I have been trying to implement my own OAuth2 Provider and I am a little stuck in the refresh_token part. How am I suppose to deal with it?Am I supposed to check for refresh_token in the API or in the client side? If I am a unclear Ill give a scenario:
Suppose I have a function in the API side checkToken
which checks if the token is invalid or expired. I pass the invalid test easily. Then I check for the expired part. So the tricky part is here for me. In the function checkToken
should I add
if(findRefreshToken($client_id, $user_id)) {
$this->grantRefreshToken($client_id, $client_secret, $user_id);
} else {
$this->error(401, 'Token expired');
}
Or should I only have error 401 and the client finds what to do with it?