-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use refresh tokens for OAuth #1377
Comments
hmm well basically in the oauth response, besides So, you need to store in the session both the oauth token and the expiration date. When the expiration date is close (eg half of the oauth token duration), you can use the refresh token to create a new oauth token and store it in DB in the session's document. The more tricky part is refreshing the refresh token. It will only work, once, and you need to store the new refresh token in DB. The old token won't be valid anymore. I would suggest refreshing the refresh token at the next opportunity once it's a month old. Since the sessions last two weeks, there's no risk of a session with an expired refresh token (they last three months, at least with HF). If When the oauth token cannot be refreshed and expires, the session should probably be removed from DB. Probably got in more details than needed 😅 |
The refresh access token request will also return the refresh token*, there is no separate request to renew the refresh token (at least not in the spec). If HuggingFace IDP always returns a new refresh token, then always setting both tokens on login/refresh makes sense. * it depends on the identity provider implementation. Some IDPs always return a new refresh token, some only return it if the expiration time of the old one is short. Also some useful info: some IDPs return the refresh token as JWT but some just return a formatles string, it means that expiration date of the refresh token might not always be known. |
Yes my bad, the same call refreshes both the access token & refresh token. |
Currently looking into the same issue and I came across this thread. Circling back for any updates on this? @nsarrazin |
Currently we use long-lived sessions that get extended when the user performs an action. In order to better manage sessions, we could switch to an OAuth flow where we have a short lived session with an access token cookie and a refresh token that we can use to refresh the sessions, since HuggingFace now supports refresh tokens.
We would probably need to make this flow opt-in in the config as I'm not sure every oauth provider supports this ?
relevant: #1365 (review)
cc @coyotte508 if you have any resources on how to implem this, I've never done it before 👀
The text was updated successfully, but these errors were encountered: