Refreshing OAuth2 Access Token

Question

I am building web application which will consist of backend and frontend (web) part. I want to introduce auth between these two parts and my intention is to use OAuth2 for that.

Frontend part will act as OAuth Client, and backend will serve as OAuth Provider - so backend will be issuing access and refresh token.

My plan is to store refresh token of course on backend side, and to store access token on frontend side (and send access token with each request as header parameter). Lets say that access token last for 24h and refresh token last for 3 months.

My question is when (and how) should I refresh access token which is stored on frontend side? (I am asking this because I want to refresh it before it is expired; do not want to face user with login flow if it is not necessary)

1. Should I return new access token after each successful request and store it on frontend side (does not sound as a good idea)
2. Should I return new access token if existing one is just to be expired - probably need to check on frontend side if new access token is returned through header parameters and if it so to replace old one.
3. Should I store both access and refresh token on Frontend Side and if access token is expired then get new one using refresh token
4. Something else?

I am not sure what is the best practice.

Answer 1

No 3 is the best case I think. If you store both tokens (access_token & refresh_token) on frontside using by cookie, you can easily check from request using getCookie method.

check access token from request

1. if (isAccessTokenExpired) check refresh token from request
2. if (isRefreshTokenExpired) LoginRequiredException(custom excpetion and do something)
3. else refresh both tokens(extend time or create new token) and response setCookie
4. else just go on.