Clarification needed on the oauth tokens :)

I’ve dig into Meteor’s implementation of oauth and got a bit lost with codes, access tokens and refresh tokens.
Taking the fb flow as an example, the login creates a popup that pinged the server with a code that the server can exchange for an access token (using the app secret key). Fine. But that token expires. Then what? Will the user just have to login again, which would issue a new token? Then what’s the point of oauth vs fb just sending the token directly to the client that would pass it to the server?

I’ve noticed that on iOS, the FBSDKLoginKit can directly get an access token without any server / app secret being involved. So:

  • if we don’t need anything more that an access token that expires, what the point of auth and app secret?
  • if we do, is there something missing with Meteor’s implementation?

I think the former case holds because I could not find things like a refresh token for fb on the internet but I’m still quite confused :slight_smile:

No - the server also acquires a refresh token, so when the original access token expires (usually after an hour) it’s able to request another access token.

Some oauth services (including FB from the sound of it) allow a “simple” form of authorisation which does not require a secret. This form is usually used from client code (because the secret needs to be kept secret) and is normally restricted in ability.

1 Like

From what things look in my db, there’s no such thing like a refresh token:

> Users.find({}, {limit: 1, fields: { services: 1}, sort: {createdAt: 1}}).fetch()[0].services

{ facebook: 
  { accessToken: '<some long token>',
    expiresAt: 1474394345728,
    id: '1234567890',
    email: '',
    name: 'Guillaume Sabran',
    first_name: 'Guillaume',
    last_name: 'Sabran',
    link: '',
    gender: 'male',
    locale: 'en_US',
    age_range: [Object]


You’re right. The FB oauth flow does not use refresh tokens. Who knew? (clearly I didn’t!):

I didn’t a few hours earlier! Now I’m very confused by the point of oauth for fb. I guess it is to help fb deliver authorization to identified services (using secret app id) ? And apparently it’s easier to identified the service on mobile apps with the bundle id. Which might explain why the iOS SDK doens’t require secret app id to get an access token.

1 Like

Thanks for the help. I’ve been able to make a PR for that :slight_smile:


I have built an OAuth connector for IBM Connections. The tokens expire after about 2 hours.

For my custom oauth code, do I need to check for 401’s and then make a call to get a new token or is this meant to be handled by the current Oauth package I am including with my custom connector?

I could just call Meteor.loginWithIBMConnectionsCloud - but not sure if some other approach is more applicable?


Here’s the IBM Connections API for refreshing tokens: