Rotating an expired Management API Access Token

uniquerdm · November 18, 2020, 8:49pm

My setup is a client-side application that communicates with a backend API that makes some requests to Github’s API on behalf of the user (using the token returned from the GET user Management API endpoint due to Github being the oidc provider).

The problem is that the Management API access token expires after 24 hours, and the API that uses this token to retrieve a Github access token directly under the hood, obviously stops working after the Management API access token expires (due to no longer being able to make requests to Github). I found the article in the FAQ that says in a production environment (this API is in one for this hypothetical), one needs to implement a refresh mechanism to automatically re-retrieve this token.

However, where I’m a bit confused, is that there’s no advice on best practice for this? This is an in-memory value at the moment used by the API, and I’d like to change it to the newly refreshed value without having to restart the API and reload a value from the filesystem or some cloud secrets manager.

The simplest answer obviously is to just do another client_credentials grant every request to my API, but this is clearly not scalable.

Now, I could place this Management API access token in some DB (Relational or NoSQL like Redis) and have some cronjob/background task that refreshes it every time it’s about to expire.

But obviously, some requests coming in during this refresh window might not be handled correctly. I could have 2 simultaneous access tokens that are offset by 12 hours (for example) and have the background task refresh the expired one, while new requests use the older one that hasn’t expired yet. But this obviously is a very involved implementation.

Do you have any other advice or tips for what you meant by a refresh mechanism in production? Was my last thought what you had in mind in the FAQ article? Am I missing something? Do I even need to hold onto the management api access token just to get the Github access token directly or is there some way to make requests to the github api through auth0?

joseantonio.rey · November 19, 2020, 12:04am

Hello @uniquerdm - welcome to the Auth0 Community!

First of all, let’s understand the flow that you need to use. From what you’re describing, it seems like you have a machine that’s making requests on behalf of itself. That would warrant the use of the Client Credentials grant, which is intended for these situations. It uses your Client ID and Client Secret in order to get a token, so it should be running from a secure place with direct access to Auth0 (your server).

With this in mind, you can use absolutely any method you’d like to refresh your tokens. By this, I mean (and these are just some options):

A refresh every 24 (or 20 hours?) independently of the condition
A constant check for the token’s exp claim, and renewing when exp is 15 minutes away
Any other methods you can think of, it’s up to your imagination, as long as you use the Client Credentials grant

Let me know what you think, and if you have any further questions.