0

When there is information regarding refresh + access token pair there is always the following flow presented in case access token expires:

  1. do request / check expiration
  2. see the token expires
  3. get new access token via auth API
  4. retry the request with a new access token

And I don't understand the main idea... Why should we invalidate the initial request, force frontend to wait, request different API, request again, to proceed with the initial request.

Why backend doesn't refresh an access token automatically if the user is valid and has a valid refresh token in headers? (which can be done e.g. via middleware)

Is having such middleware is a viable solution or there something I don't see?

Serhii
  • 430
  • 3
  • 18
  • Just to make sure I'm understanding correctly, you are asking why aren't we sending the refresh token along with the access token to the same endpoint - and if the access token is expired the refresh token will take precedence and access whatever the data is (and preferably return a fresh access token as well) right? – Mavi Domates Sep 18 '20 at 20:42
  • @MaviDomates, either this way or generate a new access token before accessing endpoint via refresh and then proceed with access again. – Serhii Sep 20 '20 at 07:41
  • Invalidating the request / waiting until the access token expires is not the standard practice. Same as you've called out in your comment, you can refresh the token without waiting its expiry (ex: 10 minutes before the expiry, refresh asynchronously). Especially for server-to-server authentications, you'd do this through a simple Thread. This is different for the user authentications though / when you receive the refresh token for the first time, where are you storing it? In some DB / storage / or are you passing it to front-end? – Mavi Domates Sep 20 '20 at 22:40
  • Here's a question that I've posted with regards to this exact renewal type before: https://stackoverflow.com/questions/42515426/updating-property-of-a-singleton-with-thread-safety – Mavi Domates Sep 20 '20 at 22:41

0 Answers0