Refresh tokens in Oauth

Nokia
xcAd04

Go to company page Nokia

xcAd04
Oct 12, 2019 7 Comments

I am done with my interviews but I am kinda stuck thinking about a question in one of my interviews.

While discussing authorization in microservices, I said the client will get the access and refresh token. If the validity of access token is 5 minutes then the client will refresh the token every 5 minutes and then make the request to resource server with the refreshed/valid access token

The interviewer asked what if the token was invalidated at T+1 minutes, the client will still be able to make unauthorized request to the resource server for the next 4 minutes. I didn't have answer to this.

What would have been a reasonable solution to this? I don't want to call introspect endpoint for every request at the resource server.

Please suggest alternative authorization mechanisms too if it would solve this problem.

PS: I have worded it vaguely and thwt's why didn't put on SO for the fear of downvotes. Please feel free to state/ assume any assumptions.

comments

Want to comment? LOG IN or SIGN UP
TOP 7 Comments
  • Fitbit
    0x56BD

    Go to company page Fitbit

    0x56BD
    You should be checking the validity of the token each time you hit the API tier. Why would you blindly trust that the access token was valid?
    Oct 12, 2019 1
    • Nokia
      xcAd04

      Go to company page Nokia

      xcAd04
      OP
      We don't need to explicitly validate the acess token by calling an external endpoint. The access token can be a JWT with the caller's details, scope, claim etc and signed. If the acess token was tampered then it's validation will fail.
      Oct 12, 2019
  • Microsoft / Eng
    राईता

    Go to company page Microsoft Eng

    PRE
    Microsoft
    राईता
    Yes, client will be able to access resource server for next 4 minutes if auth layer at resource server just validate jwt and doesnot call token service to validate. You can implement push model where token service brodcast invalid token's appId and auth layer at resource server can check it reject such tokens. This way your authentication is scalable. Also you have to add throttling at token level
    Oct 12, 2019 2
  • Bose
    haITried

    Go to company page Bose

    PRE
    Salesforce
    haITried
    The auth server will invalidate the refresh token
    Oct 12, 2019 0
  • Twitter
    a.a.milne

    Go to company page Twitter

    BIO
    It’s all trolling and shitposts.
    a.a.milne
    You give the client the token and everytime the client uses it your server checks it’s validity
    Oct 12, 2019 0