How to use refresh token in codeigniter rest api?

I’m new in codeigniter 4 rest api and oath. I’m able to create login that return the token and the refresh token. My problem is when the token has expired. How can I get new token using the refresh token? Do I have to create a new function in the controller for that? Or can it be the same endpoint as the login? I’ve read in some articles that I need to send grant_type, client_id, client_secret and the refresh token as a post. But I don’t know the endpoint on where to send this. I’m totally new to this, please help me. Thanks.

User.php(Controller)

<?php namespace AppControllers;

use AppLibrariesOauth;
use OAuth2Request;
use CodeIgniterAPIResponseTrait;
use AppModelsUserModel;


class User extends BaseController
{
    use ResponseTrait;

    public function login(){
        $oauth = new Oauth();
        $request = new Request();
        $respond = $oauth->server->handleTokenRequest($request->createFromGlobals());
        $code = $respond->getStatusCode();
        $body = $respond->getResponseBody();
        return $this->respond(json_decode($body), $code);
       
    }

Oauth.php

<?php namespace AppLibraries;

//use OAuth2StoragePdo;
use AppLibrariesCustomOauthStorage;


class Oauth{
  var $server;

  function __construct(){
    $this->init();
  }

  public function init(){
    $dsn = getenv('database.default.DSN');
      $username = getenv('database.default.username');
    $password = getenv('database.default.password');

    $storage = new CustomOauthStorage(['dsn' => $dsn, 'username' => $username, 'password' => $password]);
    $this->server = new OAuth2Server($storage);
    $this->server->addGrantType(new OAuth2GrantTypeUserCredentials($storage));
  }
}

Answer

When you want to implement an OAuth2 system with CI4, you’re free to making it however you want since nothing is already created to do so in the framework. Here it looks like you’re using bshaffer oauth2 lib for PHP (try to read their cookbook. It personally helped me a lot implementing it in a CI4 project : https://bshaffer.github.io/oauth2-server-php-docs/cookbook).

First if you want to make a refresh token with this lib you have to add the refreshtoken grant type to your server.

$this->server->addGrantType(new OAuth2GrantTypeUserCredentials($storage));
// this add the refresh token grant type.
// param 'always_issue_new_refresh_token' allows you to catch a new refresh token
// when making a call with a refresh token
$this->server->addGrantType(new OAuth2GrantTypeRefreshToken($storage, [
    'always_issue_new_refresh_token' => true
]));

Then the lib will handle it for you with $respond = $oauth->server->handleTokenRequest($request->createFromGlobals());. You don’t need to add anything in your controller.
It’s up to you to create a new route in your Config/Routes.php for the refresh token call. But as your controller code will be the exact same it could be a good point to keep it on the same route.

Also the HTTP request you will send to your oauth server must have :

• Header Content-Type as application/x-www-form-urlencoded
• A body parameter grant_type=refresh_token. That’s how your lib will determine that it needs to use the refresh token process.
• An other parameter named refresh_token with the actual refresh token

Don’t forget to read the lib’s documentation which is pretty small but really clean : https://bshaffer.github.io/oauth2-server-php-docs/grant-types/refresh-token/