We currently have a backend service that talks to another backend service with secure APIs. From our understanding of the docs, this is exactly what M2M tokens are meant for which use the client-credentials flow.
However, we’re a bit at a loss on how to best handle the renewal of such tokens when they expire.
We CANNOT use refresh tokens because they are not obtainable in the client-credentials flow, so what’s the best approach then?
Yes, I’m aware we can just get another token that way.
Re-reading my question, I see that I wasn’t very clear about my concern.
I want to optimise the amount of M2M tokens the application gets as much as possible and was wondering if there’s any best practices on how to handle this.
I was thinking:
The application gets a request to call a protected API
It checks it has a cached token stored in memory (would a file be too dangerous?)
If a token exists, the token is decoded and we check the exp field to know if it’s expired (most JWT libraries will throw an exception if the token is expired).
4a. If the token hasn’t expired, cool, use it to call the protected API
4b. If the token has expired, request a new M2M token and cache it.
Does this sound like a reasonable approach to handle M2M token renewals to you? Or is there a documented approach somewhere to handle this common use case?