Refresh tokens in Oauth
I am done with my interviews but I am kinda stuck thinking about a question in one of my interviews. While discussing authorization in microservices, I said the client will get the access and refresh token. If the validity of access token is 5 minutes then the client will refresh the token every 5 minutes and then make the request to resource server with the refreshed/valid access token The interviewer asked what if the token was invalidated at T+1 minutes, the client will still be able to make unauthorized request to the resource server for the next 4 minutes. I didn't have answer to this. What would have been a reasonable solution to this? I don't want to call introspect endpoint for every request at the resource server. Please suggest alternative authorization mechanisms too if it would solve this problem. PS: I have worded it vaguely and thwt's why didn't put on SO for the fear of downvotes. Please feel free to state/ assume any assumptions.
You give the client the token and everytime the client uses it your server checks it’s validity
The auth server will invalidate the refresh token
Yes, client will be able to access resource server for next 4 minutes if auth layer at resource server just validate jwt and doesnot call token service to validate. You can implement push model where token service brodcast invalid token's appId and auth layer at resource server can check it reject such tokens. This way your authentication is scalable. Also you have to add throttling at token level
You should be checking the validity of the token each time you hit the API tier. Why would you blindly trust that the access token was valid?
We don't need to explicitly validate the acess token by calling an external endpoint. The access token can be a JWT with the caller's details, scope, claim etc and signed. If the acess token was tampered then it's validation will fail.