oauth issues on tangled described in more detail
oauth_stuff.md edited
34 lines 1.5 kB view raw view code

the error we see in the logs is:

2025/10/27 09:26:44 WARN auth server request failed request=token-refresh statusCode=400 body="map[error:invalid_grant error_description:Session expired]"
2025/10/27 09:26:44 failed to create pull comment failed to refresh OAuth tokens: token refresh failed: auth server request failed (HTTP 400): invalid_grant

which is caused by the access token expiring. we are using indigo's go oauth SDK, which suggests the following when performing authenticated requests:

sess, err := oauthApp.ResumeSession(ctx, did, sessionID)

c := sess.APIClient()

c.Post(ctx, "com.atproto.repo.createRecord", ...)

and we do a similar thing:

  1. create an authorized client via ResumeSession followed by sess.APIClient
  2. employ this in handlers to make authorized requests

ClientApp.ResumeSession seems to handle just fetching session data, but not refreshing, this was my misunderstanding from reading this portion of doc.go:

The [ClientSession] will handle nonce updates and token refreshes, and persist the results in the [ClientAuthStore].

It seems ClientSession.RefreshTokens is only ever called with performing an authorized request. We should be calling this ourselves somewhere.