1
votes

I made a simple test application which uses a hybrid flow to authenticate . I store the refresh token as a claim and so i'm able to refresh tokens.

But what ist the recommended best practice when to do that?

on which event should I validate the expiration? Or should I wait for an unauthorized event ? Is there any example for this?

I know I could check the expire of the token before a request ist made or I may wait for an unauthorized, but is there any recommended best pracitice way when or in what kind of event to do that?

1

1 Answers

3
votes

You typically store the refresh token in some persistent data store since the whole point of it is to get long lived access to an API.

You then use the access token as long as it is valid (e.g. use it 'til you get a 401 from the APII). Then you refresh the token using the refresh token.