mollie-api-php: OAuth2: Can expired AccessTokens be renewed / do the RefreshTokens expire?

When working with OAuth, the acquired AccessTokens expire in 3600 seconds. To prevent them from expiring, they can be refreshed using the RefreshToken.

The documentation states about the response:

  • refresh_token: The refresh token, with which you will be able to retrieve new access tokens on this endpoint.
  • expires_in: The number of seconds left before the access token expires. Be sure to refresh your access token before this reaches zero.

and:

“Now that we have a refresh token, we should refresh the access token before its expiry date as follows.”

Two questions

  1. The combination of aforementioned documentation kind of “suggests” that the AccessToken can NOT be refreshed anymore after it has expired. This seems awkward to me. For example, after the AccessToken has expired for, lets say, two weeks, we should still be able to refresh it right? Or is it expected that an AccessToken is kept “valid” all the time by periodically refreshing them?

  2. Does the RefreshToken itself have an expiry time? Some OAuth servers use this, it seems not documented how Mollie deals with this…

For some documentation, see:

Rationale The reason I am asking for some clarification / better examples, is that our attempts to refreshing a (long) expired AccessToken keeps on resulting in invalid_grant errors… When testing the refreshing/renewing functionality, it works when an AccessToken has been expired for a short period, but not for a long period, for example:

  • expired 15 minutes ago: works
  • expired 1,5 hour ago: works
  • expired 12 hour ago : works
  • expired 24 hour ago : fails
    • Mollie_API_Exception: Error executing API call (request): Unauthorized request. in /app/vendor/mollie/mollie-api-php/src/Mollie/API/Resource/Base.php:353

So when the AccessToken has been expired for multiple days / weeks, the error occurs; it seems the RefreshToken itself also expires? Some of our reseller partners do not have a “lot” of Mollie Payments. In these cases an RefreshToken that does NOT expire would be preferred.

UPDATE After reading this article, I think the documentation can be clarified a bit. AccessTokens are renewed / replaced, not refreshed.

This still leaves me with the question whether the RefreshTokens that are used to request new AccessTokens expire themselves as well?

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 15 (10 by maintainers)

Most upvoted comments

@holtkamp @AntonShumin We have changed our API so that a refresh token does not expire anymore. Every time you refresh an access token you will receive the same refresh token, together with the new access token.

+3
shirshir on Jul 21, 2017

Therefore I plea for non-expiring RefreshTokens, which is also the way Google Auth server works, which is an engineering decision.

We’re going to look into this (our reference INI-117).

Are we maybe expected to run a cronjob every day to keep refresh tokens alive?

For now, this is the way to go.

+3
willemstuursma on May 19, 2017
Read more comments on GitHub
← mollie-api-php: How to solve time out errors
mollie-api-php: Payment Create API call keeps timing out →