Refresh Access Token - Yahoo OAuth

[Scott Falbo]

Does anyone have advice for the best practice on how to use this
library to refresh an access token (specifically Yahoo in my case)?

The documentation is here (http://developer.yahoo.com/oauth/guide/
oauth-refreshaccesstoken.html) and I've tried to update the library to
store the oauth_session_handle for making the refresh request and I'm
getting a response of oauth_problem=signature_invalid.

Before I travel too far down the path of changing the library too much
I was wondering if gtm-oauth already supports this directly and
perhaps I've overlooked it.

Thanks for your help / advice.

[David Phillip Oster]

Did you see the comment in the GTMOAuth2Authentication.h header file:

// Main authorization entry points

//

// These will refresh the access token, if necessary, add the access token to

// the request, then invoke the callback.

//

// The request argument may be nil to just force a refresh of the access token,

// if needed.

// The finish selector should have a signature matching

//   - (void)authentication:(GTMOAuth2Authentication *)auth

//                  request:(NSMutableURLRequest *)request

//        finishedWithError:(NSError *)error;

- (void)authorizeRequest:(NSMutableURLRequest *)request

delegate:(id)delegate

didFinishSelector:(SEL)sel;

? note particularly: The request argument may be nil to just force a refresh of the access token

[Greg Robbins]

Token expiration is normal for OAuth 2 (and is handled by the gtm-oauth2 library) but I've not before seen it in an OAuth 1 implementation. I do not know if other Oauth 1 providers support that extension.

The gtm-oauth library does add any additional query parameters from the request to the signature string, so there is typically no need to modify the library for additional parameters.  Single-step through signatureForParams:request: to see how the signature is created.

It will be necessary to modify the authentication class to support the session handle. Add a sessionHandle property and accessors:

@property (nonatomic, copy) NSString *sessionHandle;

static NSString *const kOAuthSessionHandleKey = @"oauth_session_handle";

- (NSString *)sessionHandle {
  return [paramValues_ objectForKey:kOAuthSessionHandleKey];
}
- (void)setSessionHandle:(NSString *)str {
  [paramValues_ setValue:[[str copy] autorelease]
                  forKey:kOAuthSessionHandleKey];
}

and set it in -setKeysForResponseDictionary:

  NSString *sessionHandle = [dict objectForKey:kOAuthSessionHandleKey];
  if (sessionHandle) {
    [self setSessionHandle:sessionHandle];
  }

Add kOAuthSessionHandleKey to the array in +tokenResourceKeys, and I think it will need to be excluded from the authorization header despite having an "oauth_" prefix, so in addAuthorizationHeaderToRequest:forKeys: specifically make an exception for it:

    BOOL hasPrefix = [name hasPrefix:@"oauth_"] && ![name isEqual:kOAuthSessionHandleKey];

The a refresh request looks like

  NSString *urlStr = @"https://api.login.yahoo.com/oauth/v2/get_token";

  NSURL *url = [NSURL URLWithString:urlStr];

  NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url];

  [mAuth authorizeRequest:request];

With an unexpired token, the server is responding to that request for me with "oauth_problem=token_rejected" but is apparently happy with request signature.

[Scott Falbo]

Thank you Greg. I'm also getting the same issue
(oauth_problem=token_rejected) even after it expires. I will need to
look further into the specifics of Yahoo's OAuth implementation since
this seems like a bit of a non-standard implementation.

> With an *unexpired* token, the server is responding to that request for me