I'm developing an API for a standalone SPA that is deployed in a static server. In my proposal architecture design, the SPA client accesses my API server by using the access token issued by my own implemented identity Server (API and Identity Server are separate servers).
API server needs to fetch data from third party API (in detail, it is Amazon Ads API). The third-party API is protected by an access token issued by its identity server (OAuth2). The situation is, each user has its own access token to access third-party API.
My challenge is how my API server persists the third-party access token and refresh token in a secure and effective way.
Notes: For Amazon, the access token expiration is for 1 hour, and the refresh token is for 30 days.
In my view, my API server is like the trusted middle man to fetch data from third-party API for SPA. Third-party API tokens are hidden from the SPA client.
Now I just implement to get third-party access token and refresh token stored in the database by my own access token sub claim. Then I will implement a distributed cached for improved performance. I asked if my design is a good pattern so that my efforts are valuable.
