I am implementing OAuth2 in my PHP web application. Access tokens are distributed to javascript web clients with an expiration of 1 hour, and a refresh token is provided. If the client quits the browser for more than 1 hour the next time they navigate to my web application the access token is no longer valid during the initial request to the resource server. The resource server then returns a unprotected page.
In the event I have:
- Expired access token
- Valid refresh token
- New session
Should the resource server return a unprotected page, and the client using javascript attempt to refresh the access token and if successful force the page to reload? Is that common? Or am I missing something so the resource server isn't called twice?
Currently the client passes the refresh token to the resource server, so technically the resource server could refresh the access token. But, this doesn't seem to be allowed by RFC 6749 which seems to indicate the resource server should never see the refresh token.
"Refresh tokens MUST be kept confidential in transit and storage, and shared only among the authorization server and the client to whom the refresh tokens were issued."
