Feature: Refresh access token before it times out #763
Description
Every few minutes there are log entries on the server:
{"level":"error","service":"proxy","error":"failed to verify access token: token has invalid claims: token is expired","authenticator":"oidc","path":"/graph/v1.0/me/drives","user_agent":"Mozilla/5.0 (Macintosh) mirall/3.0.3.2073 (OpenCloud, macos-25.1.0 ClientArchitecture: arm64 OsArchitecture: arm64)","client.address":"2001:0db8:...","network.peer.address":"","network.peer.port":"","time":"2025-12-15T20:50:29Z","message":"failed to authenticate the request"}
This is basically a mirror of opencloud-eu/opencloud#919 – but since this probably needs to also be addressed in the desktop client, I'll create this issue.
Like discussed in opencloud-eu/opencloud#919 (comment) the client knows the expiration time of the token at all times (except when tokens are revoked), so requests with an expired token can be avoided.
I do not know the architecture of the apps; however with JS OAuth clients, the token's expiration time (which is always sent along with the token as expires_in) can be checked whenever the token is used, and if necessary the token must be refreshed (the desktop and mobile app request offline_access scope and thus should have a refresh token) and the new token must be used instead. (Note: avoid race conditions where the token might be requested multiple times while it is being refreshed, these need to be synchronized and queued)