I am reading through OAuth support for Figma Plugins: https://developers.figma.com/docs/plugins/oauth-with-plugins/#saving-the-access-token-locally
One thing I am confused about is how to handle refresh tokens? Should the Figma Plugin frontend store the refresh token along with the access token and handle refreshing at the proper time, or should the plugin backend store them and handle it? I feel like storing the refresh token in the Figma Plugin frontend is not great for security, since some OAuth providers might require the client secret to be sent along with a refresh request.
If the backend handles refreshing tokens, I see a couple of hurdles:
- do we need to generate a new read key for the plugin to poll?
- how does the backend know what access token it is refreshing? Do we send in the current user ID or the access token we want refreshed?
It also seems to go against what the documentation says, since it states that the server should delete the access token from the server after it has been read by the plugin. I guess this means we could still store the refresh token for a given user ID? Could there be another API on our server to initiate the refresh, and the Figma plugin would pass in the refresh token to use?
Is Figma expecting the user to have the re-auth after a single access token expires?