I’m using M2M authorization for my application. Obtaining an access_token is no problem. However, I want to check after every API call whether the access token has expired or not, and if it has, request a new access token. I have checked the documentation and I thought about using refresh tokens but you need to change your grant type to “refresh token” whereas, for M2M authorization, you need to set the grant type to “client credentials”. So does this mean refresh tokens aren’t supposed to be used for M2M authorizations? Is there a standard client implementation to get new tokens after it got expired? The only way I can think of doing this is to use the javascript Date() object to check when it has expired.
I have also checked these topics M2M Token renewal and Correct way to handle M2M token renewal?
But I can’t seem to find the answer I want.
Thanks in advance!
Greetings katab
Before moving on, it’s good to understand the concept of a Machine to Machine Authentication. This grant is intended for non-interactive clients, where a machine is requesting a token to be used on behalf of itself (never on behalf of a user). If you are using this token on behalf of a user, you have chosen the incorrect grant.
As such, the machine should be able to understand when the token has expired, and just request another one, as the machine itself, considering it’s a secure space and the token is being requested from that secure space, contains all of the details in order to be able to request another one (including the secret).
Now, if you are intending to request a token on behalf of the user, you should be using a different grant, such as the Authorization Code Flow. In this flow, you get a code, that is then exchanged for a token server-side. You could also request a Refresh Token, and perform a Refresh operation. A full, detailed explanation of Refresh Tokens can be found here: What Are Refresh Tokens and How to Use Them Securely
Bear in mind that Refresh Tokens are long-lived, confidential information, and, as such, they should only be stored server-side. The refresh operation should also happen server-side, and not client-side at any point.
TL;DR: No, M2M tokens can not be refreshed. The machine should be able to refresh them by requesting a new one. Otherwise, you should be using a different grant.