@Akayy and @sitestreet, just out of interest with the APIs you are both connecting to does the refresh token get sent more than once, i mean if you do another authorise then does it send a new or existing refresh token to be used.
If you would not mind checking with something like this added to your code i would be grateful. Just want to see whats stored inside the session.
<?php
// Start the session
session_start();
// Show session variables
print_r($_SESSION);
?>
The reason I ask is this. As I have said before with Google OAuth, it sends a refresh token only once, and never ever again, you can use providers and authorize steps etc. but you never get a new refresh token.
So I did a test just using session storage. The Access token expires after 3600 seconds (1 hour)
I set a very simple login with an OAuth2 Provider and an OAuth2 Authorise step which redirects me to a simple dashboard page showing a little retrieved data from the API.
I then waited and every 10 minutes or so refreshed the dashboard page, after an hour I continued refreshing and saw the session was updated with a new access token and still had the same refresh token as before, i continued running this for 3 hours to fully test and all worked perfectly.
The I opened a new browser Safari instead of Chrome, and went through the same login process, however this time the Google Account was already authorized to use the App from the above Chrome test.
So it ran fine and gave me an access token only, the refresh token was empty, which is what i expected, I refreshed every 10 minutes again and it ran perfectly for the first hour, however when it needed to handle the auto refresh, it could not as it had no refresh token to send to get the new access token.
So my conclusion is that if you are using an API that only sends a refresh token once in a lifetime, then you would have to use a database to store that token, and you would have to self maintain it, or your access token refreshing will only ever work the first time the user works on the site, and if they use it a couple days later they are going to not see their data after an hour without having to authorize each hour.