OAuth2 protected resource errors
So I’ve finished my OAuth2 dance and am ready to use my new access token to get at some protected resource. The spec explicitly states that errors while accessing protected resources are “out of scope”. That includes the “error” where the access token has expired.
Since there’s no way to tell if its a real request error (like the caller trying to get at something that doesn’t exist) or something that would succeed with a correct access token, my solution is to trap 400-series errors, get a new access token then retry the request. If it still fails then I return the original error to the caller.
I can’t even guess at the situation based on the access token expiry time because the authorisation server isn’t required to give me one.
I do not like OAuth2.
RFC 6749 - The OAuth 2.0 Authorization Framework