managing the refresh access token workflow

I'm looking for advice on how to manage the expired/refresh token flow. In other words, assuming I have all the proper data stored (e.g., oauth_session_handle), what is the proper (i.e., most efficient) method for learning if the token is expired, then refreshing if needed? So far I see a few options, none of which feel perfect:

Method #1: Keep track ourselves

This means store as (for example) 'time_expired', and calculate it based on time of access token storage + 3600 seconds (well, + oauth_expires_in). Then, if current time exceeds this then it's expired, therefore refresh token before doing anything else. Possible errors, sure, so may fallback to the method #2 described below.

Method #2: Double query, scan response for token_expire error code on failure

This essentially means run queries twice, sometimes. If it failed but emitted the token_expire error then refresh and try again.

Method #3: ???

I'm new to OAuth so could be overlooking something simple but the OAuth API I use (PHP PECL/OAuth) does not appear to offer an obvious solution, so maybe people here have advice and/or ideas. Also if you have ideas for how said API could be improved for this (or any) task, I'm sure that'd be appreciated too.

1 Reply
  • Hi Phil,

    I would suggest going with method 1 with one minor change:
    You should probably request a new access token a few minutes
    before it expires to allow for time difference between
    your server and Yahoo! OAuth server.

    Yu Wang
    Yahoo! Membership Team

Recent Posts

in OAuth General Discussion YDN SDKs