In my applications setup, I have couple of microservices (asp.net core api). Eg. From one microservice, I am making api calls to another microservice (api-to-api OR machine-to-machine). I am looking for best practices around using Refresh Token to get Access Token. Shall I just check whether my current access token has expired before making the api call, if expired obtain a new one using the ClientId/ClientSecret/Audience (grant_type: client_credentials). OR shall I using the refresh token to obtain the access token. I was unable to find examples/documentation around usage of refresh token in the scenario I described.
Machine-to-machine applications are following the OAuth2 Client Credentials flow. In the specs for this flow, it is explained that refresh tokens should not be issued in the token response.
If the access token request is valid and authorized, the authorization server issues an access token as described in Section 5.1. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5.2.
When you validate the Access Token, you can determine if the token is expired and request another one if so.