On which side the access_token needs to be updated

1
votes

Since an access_token has a short life period, for the users' convenience a refresh_token is used.

Let's imagine we have client side mobile iOs/android app. After the first login when the user provides his username and credentials then the subsequent request is sent to the server side which respond with access and refresh token.

But what if 1 minute left before access token expires or it has already expired. Should verification process be on the server side?

Server get a request (gateway proxy as example), read auth token from header, verify expiration time, under the hood update token if refresh token is present (in header as example), modify initial request and proceed with newly created access_token?

Or this kind of iterations should perform client app? On each request validate expires_in date and if so ask for a new access_token using refresh_token grant type and only after this make a remote call?

1
securityoauth-2.0token

1 Answers

0
votes

According to OAuth, when your initial token expires, depending the situation, you should refresh it by sending the refresh_token value to the respective server endpoint. Server does the refreshing operation generating a new token so you get a new token with a new expires_in date. You get many options on how you should send the refresh the token by the client, for example:

  • Having a timer and send the refresh action before token expiration.
  • If you have a 401 status error.

I would suggest you coding a HTTP interceptor and when a response get a 401 code, you should send the refresh action.