Emit a TokenRefreshFailedEvent when the automatic token refresh fails

docs/oidc-usage.md

@@ -267,7 +267,7 @@ This can be done by calling `logout` with the following optional parameters:
 
 ### Listening to currentUser changes
 
-Whenever a user logs in, logs out, or a token gets refreshed automatically, an event is added to the `userChanges()` stream.
+Whenever a user logs in, logs out, a token gets refreshed automatically, or the automatic refresh of the token fails, an event is added to the `userChanges()` stream.
 
 This is similar to firebase auth, and can be used to track the current session.
 
@@ -395,4 +395,4 @@ static Stream<OidcFrontChannelLogoutIncomingRequest> listenToFrontChannelLogoutR
 [http_image]: https://img.shields.io/badge/package-http-0175C2?logo=dart&logoColor=white
 
 [jose_plus_link]: https://pub.dev/packages/jose_plus#create-a-jwt
-[jose_plus_image]: https://img.shields.io/badge/package-jose__plus-0175C2?logo=dart&logoColor=white
+[jose_plus_image]: https://img.shields.io/badge/package-jose__plus-0175C2?logo=dart&logoColor=white

docs/oidc_core.md

@@ -63,6 +63,10 @@ The base class for all events, this contains an `at` property that stores when t
 
 Occurs before a user is forgotten, either via `forgetUser()` or via `logout()`.
 
+### OidcTokenRefreshFailedEvent
+
+Occurs when the automatic refresh of a token fails.
+
 ## OidcPkcePair
 
 you can use this to generate PKCE key pairs.
@@ -167,4 +171,4 @@ Contains methods that help you implement the OIDC spec yourself.
 --- 
 
 [package_link]: https://pub.dev/packages/oidc_core
-[package_image]: https://img.shields.io/badge/package-oidc__core-0175C2?logo=dart&logoColor=white
+[package_image]: https://img.shields.io/badge/package-oidc__core-0175C2?logo=dart&logoColor=white

packages/oidc_core/lib/src/managers/user_manager_base.dart

@@ -733,8 +733,21 @@ abstract class OidcUserManagerBase {
   Future<OidcUser?> refreshToken({
     String? overrideRefreshToken,
     OidcProviderMetadata? discoveryDocumentOverride,
+  }) {
+    return doRefreshToken(
+      overrideRefreshToken: overrideRefreshToken,
+      discoveryDocumentOverride: discoveryDocumentOverride,
+    );
+  }
+
+  @protected
+  Future<OidcUser?> doRefreshToken({
+    OidcToken? overrideToken,
+    String? overrideRefreshToken,
+    OidcProviderMetadata? discoveryDocumentOverride,
   }) async {
     ensureInit();
+    final token = overrideToken ?? currentUser?.token;
     final discoveryDocument =
         discoveryDocumentOverride ?? this.discoveryDocument;
     if (!discoveryDocument.grantTypesSupportedOrDefault
@@ -743,8 +756,7 @@ abstract class OidcUserManagerBase {
       return null;
     }
 
-    final refreshToken =
-        overrideRefreshToken ?? currentUser?.token.refreshToken;
+    final refreshToken = overrideRefreshToken ?? token?.refreshToken;
     if (refreshToken == null) {
       // Can't refresh the access token anyway.
       return null;
@@ -767,7 +779,7 @@ abstract class OidcUserManagerBase {
       token: OidcToken.fromResponse(
         tokenResponse,
         overrideExpiresIn: settings.getExpiresIn?.call(tokenResponse),
-        sessionState: currentUser?.token.sessionState,
+        sessionState: token?.sessionState,
       ),
       nonce: null,
       userInfo: null,
@@ -798,48 +810,15 @@ abstract class OidcUserManagerBase {
       OidcTokenExpiringEvent.now(currentToken: event),
     );
 
-    if (!discoveryDocument.grantTypesSupportedOrDefault
-        .contains(OidcConstants_GrantType.refreshToken)) {
-      //Server doesn't support refresh_token grant.
-      return;
-    }
-
-    final refreshToken = event.refreshToken;
-    if (refreshToken == null) {
-      return;
-    }
-    OidcUser? newUser;
-    //try getting a new token.
     try {
-      final tokenResponse = await OidcEndpoints.token(
-        tokenEndpoint: discoveryDocument.tokenEndpoint!,
-        credentials: clientCredentials,
-        client: httpClient,
-        headers: settings.extraTokenHeaders,
-        request: OidcTokenRequest.refreshToken(
-          refreshToken: refreshToken,
-          clientId: clientCredentials.clientId,
-          clientSecret: clientCredentials.clientSecret,
-          extra: settings.extraTokenParameters,
-          scope: settings.scope,
-        ),
-      );
-      newUser = await createUserFromToken(
-        token: OidcToken.fromResponse(
-          tokenResponse,
-          overrideExpiresIn: settings.getExpiresIn?.call(tokenResponse),
-          sessionState: event.sessionState,
-        ),
-        nonce: null,
-        attributes: null,
-        userInfo: null,
-        metadata: discoveryDocument,
-      );
-    } catch (e) {
-      //swallow errors on fail, but unload the event manager.
+      final newUser = await doRefreshToken(overrideToken: event);
+      logger.fine('Refreshed a token and got a new user: ${newUser?.uid}');
+    } catch (error) {
       tokenEvents.unload();
+      eventsController.add(
+        OidcTokenRefreshFailedEvent.now(error: error),
+      );
     }
-    logger.fine('Refreshed a token and got a new user: ${newUser?.uid}');
   }
 
   @protected

packages/oidc_core/lib/src/models/events/_exports.dart

@@ -2,3 +2,4 @@ export 'event.dart';
 export 'pre_logout_event.dart';
 export 'token_expired_event.dart';
 export 'token_expiring_event.dart';
+export 'token_refresh_failed_event.dart';

packages/oidc_core/lib/src/models/events/token_refresh_failed_event.dart

@@ -0,0 +1,17 @@
+import 'package:oidc_core/oidc_core.dart';
+
+/// An event that gets raised when the auto token refresh fails.
+class OidcTokenRefreshFailedEvent extends OidcEvent {
+  ///
+  const OidcTokenRefreshFailedEvent({
+    required this.error,
+    required super.at,
+  });
+
+  ///
+  OidcTokenRefreshFailedEvent.now({
+    required this.error,
+  }) : super.now();
+
+  final Object error;
+}