I was doing react native app and using OAuth2 and get access token, refresh token and expire in time when I log in my App. I checked my token expire in time when I send a request (GET, POST). If my token expired, then I used a refresh token to get a new access token. My co-worker told me, I don't need check expired time, just use a refresh token to get access token every time I sent the request. I know his way is not properly, but what could be happened if I use his way? Why is it bad to refresh access token every time when I sent requests?
Why is it a bad idea to refresh access token every time when I sent request?
Asked Answered
Because it increases the network round trips and makes your application slower than it needs to be, and increases the load on the token service.
That way lies scaling problems and terrible user experience.
Your co-worker probably advised you to do this, which is how I always code these things:
- Send the current access token to the API on each request
- Eventually the access token will return 401
- Then use the refresh token to get a new access token + retry the API call
- Eventually the token renewal request will fail with an invalid_grant error and the user has to login again
That is, you refresh only when the access token expires and not on every single request. You avoid relying on the access token expiry time, since APIs can reject tokens for multiple reasons.
One more addition to your point is that, when a refresh token is used, the backend should return a new access AND a new refresh token. This is known as rotating refresh token and is recommended by the IETF here since it helps detect token theft. You can also read this blog to see the implementation details –
Cowling
© 2022 - 2024 — McMap. All rights reserved.