This process is good for sophisticated clients. But, as @ebrahim.poorazizi mentioned above, the intention is to expose an API that receives a single token. Without refreshing it first or getting some other token, checking expiry time, etc.
We’ve implemented something similar to what I described above, which uses the refresh token. That allows using a single token that never expires, and still be able to invalidate it.
Is that approach wrong? Is there an alternative that you can think of that provides such a simple auth technique for a 3rd party system?
1 Like