[5.x] Add refreshToken method

[antoinelame]

This PR introduces a refreshToken method for OAuth 2.0 providers.

Typically, access tokens are updated in the database each time a user logs in. However, this approach may not be adequate for applications that perform actions on behalf of users, such as fetching data from social channels. There are scenarios where the user's session outlasts the token's validity, or where the application needs to use the token without the user's active login.

To address this, the proposed refreshToken method enables the application to refresh access tokens at any time using stored refresh tokens.

$newToken = Socialite::driver('gitlab')->refreshToken($user->gitlab_refresh_token);

$user->update([
    'gitlab_token' => $newToken->token,
    'gitlab_refresh_token' => $newToken->refreshToken,
    'gitlab_token_expires_at' => now()->addSeconds($newToken->expiresIn),
]);

The method returns an instance of the Token class, which includes the refreshed access token, refresh token, expiration duration, and scope.

[taylorotwell]

Does this code work for every first-party supported OAuth2 provider?

[taylorotwell]

Marking as draft pending response.

[antoinelame]

Give me 5 days, I will test them all.

[antoinelame]

Bitbucket

✅ Works well.

Slack

✅ Works well.

Twitter

✅ Works well.

GitLab

✅ Works well.

Google

✅ Works well.

Note: to get a refresh token , you must add ['access_type' => 'offline'] to getTokenFields. So you'll have to tweak Socialite a little. But once you've got it, you can pass it to refreshToken method without any issue.

LinkedIn

✅ Would work well.

I've not been able to create an application authorized to receive refresh tokens. It's reserved for a limited number of partners. But it would work. The endpoint expects the same request body parameters as those sent by the proposed refreshToken method.

Facebook

Facebook doesn’t provide refresh tokens. The refreshToken method is not relevant here.

GitHub

For OAuth Apps, access tokens don’t expire. Refresh tokens can only be enabled for GitHub Apps. The refreshToken method is not relevant here.

[NileshS-RSW]

I facing this problem
"laravel/socialite": "^5.5",
"socialiteproviders/apple": "^5.5",

Declaration of SocialiteProviders\\Apple\\Provider::refreshToken(string $refreshToken): Psr\\Http\\Message\\ResponseInterface must be compatible with Laravel\\Socialite\\Two\\AbstractProvider::refreshToken($refreshToken)',
  'file' => '/var/www/html/coinpanda-backend/vendor/socialiteproviders/apple/Provider.phpv

-> Can you help me to solve this problem

[driesvints]

@NileshS-RSW report this issue to the socialite providers repo.

[VirusEcks]

apple is broken too because of this update

[pawell67]

Okta is broken as well

[cosmastech]

Seems like this broke a lot of things. Any chance this might get reverted? @taylorotwell

edit: nevermind. seems like there's already good progress on fixing the providers from socialite/providers.

[antoinelame]

Hey @cosmastech,

It's unfortunate that the update affected some third-party providers.

However, I believe it's important to be able to evolve Socialite without being restricted by third-party providers. You can submit a Pull Request to SocialiteProviders/Providers. The required change is quite straightforward: the refreshToken method doesn't need to be declared on the third-party provider, as it's now already included in the AbstractProvider.

In the meantime, while waiting for your PR, or someone else's, to be accepted, you can do this:

composer require laravel/socialite:5.10.0

[cosmastech]

Hey @cosmastech,

It's unfortunate that the update affected some third-party providers.

However, I believe it's important to be able to evolve Socialite without being restricted by third-party providers. You can submit a Pull Request to SocialiteProviders/Providers. The required change is quite straightforward: the refreshToken method doesn't need to be declared on the third-party provider, as it's now already included in the AbstractProvider.

In the meantime, while waiting for your PR, or someone else's, to be accepted, you can do this:

composer require laravel/socialite:5.10.0

Thanks for the reply @antoinelame. I did lock the socialite version on our app.

That said, the solution for Okta provider wasn't that refreshToken() needed removed, it's that the signature for the newly added getRefreshTokenResponse() method now conflicts with what was previously defined in the provider. The easier solution, in my opinion, would be to just change the method name in laravel/socialite. 🤷

Not an intentional BC by any stretch of the imagination, and surprised that I've never come across a problem that like this before in the open-source world (as it seems like it would be common that a parent class' new method name might clash with a name that a child class chose).

Thanks for your contribution!