This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Refreshing Access token - Best design approach

Posted on 05-25-2020 04:47 PM
nilanjanchaudhu
New Member
Reply posted on --/--/---- --:-- AM

Hi

I have a UI application which is interacting with APIGEE which in turn calls an IDP provider. We have implemented OAuth2 PCKE using Authorization Code grant. I am successfully able to retrieve access token , id token and refresh token on authentication. Once the user is authenticated, the access token and refresh token is stored in the APIGEE cache and returned back to the UI which stores it locally. For every subsequent call ,it passes the access token in the header and the same is validated at APIGEE using VerifyAccessToken policy.

My query is now on the Refresh Access Token flow. I would like to know the best design for this.For example - in one of the subseqent calls , if on calling APIGEE , it is found that access token is expired, then APIGEE is returning an error . If the UI gets an error , it then calls the refresh end point in APIGEE (and passes the refresh token) which gets a new access token and returns it back to the UI which again stores the new access token and uses the new access token to make the call once again.

Is this the desired way to refresh the access token (at the point of failure) ? Also if you could tell me what error is returned by APIGEE if the access token is found to be expired so that the same can be checked for in the response in the UI.

@Dino-at-Google

Regards

Neel

0 5 574
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
nilanjanchaudhu
New Member
Reply posted on --/--/---- --:-- AM

@Dino-at-Google - I have another query on the storage of the access token and refresh tokens in the browser. I am currently looking to store it in the local / session storage and pass it in thw authorization header in every request to APIGEE. These are https calls. I am not sure this is very secure in itself.

0 Likes

Posted on --/--/---- --:-- AM
navjot_k
New Member
Reply posted on --/--/---- --:-- AM

The way you have implemented the refresh token is correct. Apigee gives 401 error with description as Access Token expired. You can handle it in FaultRules.

0 Likes

Posted on --/--/---- --:-- AM
nilanjanchaudhu
New Member
In response to navjot_k
Reply posted on --/--/---- --:-- AM
@Navjot Kaur Thanks for the input. My question is that then , APIGEE gives a 401 back to UI , and then UI has to call Refresh token endpoint again in APIGEE. So for every API call from UI to APIGEE, we have to handle this error scenario. Is this is the suggested approach or is there a better way of doing it where UI layer can be completely abstracted out and this is handled entirely at APIGEE.
0 Likes

Posted on --/--/---- --:-- AM
navjot_k
New Member
In response to navjot_k
Reply posted on --/--/---- --:-- AM

Well if apigee triggers the flow automatically, then how will it return the same to UI- with response of resource API? It will add more complexity to UI as well as Apigee.

0 Likes

Posted on --/--/---- --:-- AM
nilanjanchaudhu
New Member
Reply posted on --/--/---- --:-- AM

@Dino-at-Google

@Navjot Kaur

My question is - Does my UI Code need to check for Error conditoin (Token expired) in every call and call the refresh token endpoint in such scenario or can this be handled solely at the APIGEE which implicltly triggers the refresh token flow if access token is expired. What is the best way to handle this scenario ?

0 Likes