Refreshing access token

nilanjanchaudhu · 06-21-2020 05:46 PM

Hi

I need some inputs on the best design approach for refreshing an access token. I have two options which I am thinking of -

1) UI makes the call to APIGEE , access token is expired, APIGEE returns a 401 error which the UI handles and calls the /refreshtoken endpoint in APIGEE . APIGEE calls the external IDP and gets the new access token which is returned to the UI. The UI stores the new access token and reexecutes the call which failed previously

2) UI makes the calls to APIGEE, acess token is expired, APIGEE raises fault 401 which it handles and within APIGEE now calls the external IDP provider on the refreshtoken endpoint to get the new access token which is stored and then reexecutes the API call from within APIGEE and returns the API response along with the new access token. In this scenario , every API call to APIGEE will have an element called accesstoken which will either be blank OR will have a value which the UI will have to check and if it is a non-blank value will have to store .

Could you kindly suggest which is the best approach to go with ? I need to urgently know this, hence request your input.

@Dino

@Dino-at-Google

@Sai Saran Vaidyanathan

nilanjanchaudhu

So the query basically is

Should I return a 401 unauthorized error to UI and have the UI to call the refresh token endpoint and get the new access token and retry the call which failed

OR

Should I handle it in APIGEE wherein if the token expires , i call the IPD provider from APIGEE and return the tokens along with the API response. This woudl necessitate the UI checks the response for a access token which is non-empty in each API response.

@Dino

@Dino-at-Google

Kindly provide your valuable inputs as this is extremely critical for me