oauth2 how to deal with refresh token

Question

I have been trying to implement my own OAuth2 Provider and I am a little stuck in the refresh_token part. How am I suppose to deal with it?Am I supposed to check for refresh_token in the API or in the client side? If I am a unclear Ill give a scenario:

Suppose I have a function in the API side checkToken which checks if the token is invalid or expired. I pass the invalid test easily. Then I check for the expired part. So the tricky part is here for me. In the function checkToken should I add

if(findRefreshToken($client_id, $user_id)) {
  $this->grantRefreshToken($client_id, $client_secret, $user_id);
} else {
   $this->error(401, 'Token expired');
}

Or should I only have error 401 and the client finds what to do with it?

Answer 1

Here is my experience when implementing the oAuth library and api using this library.

1. If you are implementing it as a library,you need to have checkToken and refreshToken seperately.So the api(depending on the requirement) can decide whether to refresh token or not while checking/verifing the token.

2. When doing in the api, again it depends on the requirement.if the requirement is that the user session should be active for some time(say 4 hours) from his last access, then it is better to refresh token every time you are checking/validating the token. The same refresh token can be done on the client,but the issue will be that the client has to call refresh token after every api call,which means there will 2 calls for every single api.

Hope this will clarify.