The normal flow for OAuth2 as described in this SO reply is as follows:
- Send API request with access token
- If access token is invalid, try to update it using refresh token
- if refresh request passes, update the access token and re-send the initial API request
- If refresh request fails, ask user to re-authenticate
This is all well and good for most API calls, but I wonder one thing: Authentication.
When a user attempts to sign in to my fancy new webapp using their favourite service, should I use their refresh token (or cached access token in the case of OAuth1) to attempt a sign in, or should I always go and get a fresh token from the service provider (Google, Facebook, etc) and discard the stored access and refresh tokens?