From 19001676de1665af420b1bb880359d9cea4b9ba7 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Thu, 7 Nov 2024 14:47:57 +0100
Subject: [PATCH] more specific error handling for failure to refresh auth

only consider HTTP 4XX expired auth
---
 oauthenticator/oauth2.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py
index 123557cb..626ec092 100644
--- a/oauthenticator/oauth2.py
+++ b/oauthenticator/oauth2.py
@@ -1320,6 +1320,7 @@ async def refresh_user(self, user, handler=None, **kwargs):
         """
         if not self.enable_auth_state:
             # auth state not enabled, can't refresh
+            self.log.debug("auth_state disabled, no auth state to refresh")
             return True
         auth_state = await user.get_auth_state()
         if not auth_state:
@@ -1332,12 +1333,15 @@ async def refresh_user(self, user, handler=None, **kwargs):
         auth_model = None
         try:
             auth_model = await self._token_to_auth_model(token_info)
-        except Exception as e:
-            # usually this means the access token has expired
-            # handle more specific errors?
-            self.log.info(
-                f"Error refreshing auth with current access_token for {user.name}: {e}. Will try to refresh, if possible."
-            )
+        except HTTPClientError as e:
+            # assume any client error means an expired token
+            # most likely 401 or 403 for well-behaved providers
+            if 400 <= e.code < 500:
+                self.log.info(
+                    f"Error refreshing auth with current access_token for {user.name}: {e}. Will try to refresh, if possible."
+                )
+            else:
+                raise
         refresh_token = auth_state.get("refresh_token", None)
         if refresh_token and not auth_model:
             self.log.info(f"Refreshing oauth access token for {user.name}")
@@ -1352,6 +1356,10 @@ async def refresh_user(self, user, handler=None, **kwargs):
                     f"Error using refresh_token for {user.name}: {e}. Requiring fresh login."
                 )
                 return False
+            else:
+                self.log.debug(
+                    f"Received fresh access_token for {user.name} via refresh_token"
+                )
             # refresh_token may not be returned when refreshing a token
             # in which case, keep the current one
             if not token_info.get("refresh_token"):