We are building a multi-tenant platform using a microservices architecture. There is an SPA for the front end, and many APIs behind an API gateway that serve as the backend.
We chose to store permissions in the access token, to avoid having to check them in every API call. So if an API receives a request, and the token is verified (signature and expiration), it assumes that the user has the permissions stored in the token.
The issue that we are facing concerns permission changes. If I add or remove a role from a user, it will not take effect until the client app refreshes the token using silent authentication.
We thought about setting a short expiration time and refresh the token every 10 minutes or so, but we would rather not have to wait so long for permission changes to be applied.
Another alternative would be send a signal to the SPA that would cause it to refresh the token right away. This signal could be sent on any API call, or by periodically polling a dedicated endpoint.
Is there a recommended way to deal with this issue?
We are looking at a similar setup. In our case we are also considering having the gateway be responsible for obtaining permissions for the called API and caching them for a certain time, but that does not address your concern.
I would also be very interested in recommendations on this topic.
I wanted to follow up on this subject as there has been a recent re-ask of this exact query so I thought I would help shed some light on subject. Any changes made to the user profile will only be reflected in the token’s claims when you get a new token. The OAuth2 spec doesn’t say anything about this because it is more of an application architecture question. And the methods you suggested by which the SPA can detect these changes on the server and then get a new token are definitely ways to achieve this.
If you have any additional questions on this front please feel free to let me know!