Refresh Token OAuth2 Implementation

2
votes



I have implemented OAuth2 Refresh Token in my project where i have two servers :
- Authentication Server
- Resource Server

Question : Where should i check if my access token has already expired or not ?

Method 1 :
Before sending a request to resource server, we check if the access token has been expired or not at the client side only ? If the access token has been expired then we send refresh token to Authentication server to get the new access token and resend the request to resource server with the new access token.

Method 2 :
Request goes to resource server and then we get invalid_access in the response & then we sent a request to Authentication server with refresh token to get the new access token & then again send request to resource server with new access token ?

Request you to share your thoughts on the same.

Thanks in advance.

1
oauth-2.0access-tokenrefresh-token
Both are valid solutions.Evert
I personally found, checking on client side if the token has been expired or not a better and a bit quicker way. But the problem i am facing there is that the client clock and the authentication server clock needs to be very much in sync. What if on client side if it check and find the token has been expired and on the server side it has not been expired because of the difference in seconds ?Tarun Ohri
you are allowed to refresh the token before it has expired. So it's totally cool to do this. I actually refresh automatically a little bit before expiry so I always have a valid access token.Evert
So, you keep a watch on the access token life span & get the new access token, irrespective of user sending a request to resource server or not ?Tarun Ohri
I do, but there's no right answer here. If that solution makes sense for your case as well, it's definitely a valid way to go about things.Evert

1 Answers

0
votes

Some good points above - would definitely recommend method 2 - as you've pointed out yourself it is more resilient.

Also the client side code should deal with other possible reasons for 401 responses, such as load balancing flips or changes to token signing keys.

I therefore always write OAuth clients to call APIs like this code snippet, regardless of technology.