My setup is a client-side application that communicates with a backend API that makes some requests to Github’s API on behalf of the user (using the token returned from the GET user Management API endpoint due to Github being the oidc provider).
The problem is that the Management API access token expires after 24 hours, and the API that uses this token to retrieve a Github access token directly under the hood, obviously stops working after the Management API access token expires (due to no longer being able to make requests to Github). I found the article in the FAQ that says in a production environment (this API is in one for this hypothetical), one needs to implement a refresh mechanism to automatically re-retrieve this token.
However, where I’m a bit confused, is that there’s no advice on best practice for this? This is an in-memory value at the moment used by the API, and I’d like to change it to the newly refreshed value without having to restart the API and reload a value from the filesystem or some cloud secrets manager.
The simplest answer obviously is to just do another client_credentials grant every request to my API, but this is clearly not scalable.
Now, I could place this Management API access token in some DB (Relational or NoSQL like Redis) and have some cronjob/background task that refreshes it every time it’s about to expire.
But obviously, some requests coming in during this refresh window might not be handled correctly. I could have 2 simultaneous access tokens that are offset by 12 hours (for example) and have the background task refresh the expired one, while new requests use the older one that hasn’t expired yet. But this obviously is a very involved implementation.
Do you have any other advice or tips for what you meant by a refresh mechanism in production? Was my last thought what you had in mind in the FAQ article? Am I missing something? Do I even need to hold onto the management api access token just to get the Github access token directly or is there some way to make requests to the github api through auth0?