We currently have a backend service that talks to another backend service with secure APIs. From our understanding of the docs, this is exactly what M2M tokens are meant for which use the client-credentials flow.
However, we’re a bit at a loss on how to best handle the renewal of such tokens when they expire.
We CANNOT use refresh tokens because they are not obtainable in the client-credentials flow, so what’s the best approach then?
You can request a new token using your client ID and client secret, the same way you originally requested the token. Do you have a concern with this method?
Yes, I’m aware we can just get another token that way.
Re-reading my question, I see that I wasn’t very clear about my concern.
I want to optimise the amount of M2M tokens the application gets as much as possible and was wondering if there’s any best practices on how to handle this.
I was thinking:
The application gets a request to call a protected API
It checks it has a cached token stored in memory (would a file be too dangerous?)
If a token exists, the token is decoded and we check the exp field to know if it’s expired (most JWT libraries will throw an exception if the token is expired).
4a. If the token hasn’t expired, cool, use it to call the protected API
4b. If the token has expired, request a new M2M token and cache it.
Does this sound like a reasonable approach to handle M2M token renewals to you? Or is there a documented approach somewhere to handle this common use case?
This looks pretty standard. A refresh token and a client secret are very similar when we boil them down in a client credentials grant.
This is a secure server, correct? If an attacker has access to your server you probably have a bigger problem than just the tokens, your client secret is more powerful.