I am looking for best practices of using Refresh Token to get Access Token

In my applications setup, I have couple of microservices (asp.net core api). Eg. From one microservice, I am making api calls to another microservice (api-to-api OR machine-to-machine). I am looking for best practices around using Refresh Token to get Access Token. Shall I just check whether my current access token has expired before making the api call, if expired obtain a new one using the ClientId/ClientSecret/Audience (grant_type: client_credentials). OR shall I using the refresh token to obtain the access token. I was unable to find examples/documentation around usage of refresh token in the scenario I described.

Thank you in advance!

Hi @tdesai,

Machine-to-machine applications are following the OAuth2 Client Credentials flow. In the specs for this flow, it is explained that refresh tokens should not be issued in the token response.

4.4.3. Access Token Response

If the access token request is valid and authorized, the authorization server issues an access token as described in Section 5.1. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5.2.

When you validate the Access Token, you can determine if the token is expired and request another one if so.

2 Likes

Thanks a lot for pointing me to the documentation. I really appreciate it!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.