Using access tokens to make API requests

i have been reading on IdentityServer4 and my understanding is that (at a high level) once IdentityServer4 is set up, a registered client can make API calls to API resources that are defined, if the client has been granted that access. Using C#, i can: 1. Make a request for an access token from IdentityServer4, and then, 2. Pass this token along with my request to an API. My question is, since the token has a defined lifetime, say 3600 seconds, is it correct to say that the client needs to store this token locally and use it for all its API calls within the 3600 seconds? If so, this would mean the client should somehow know when the token has expired. How would this be achieved? Another question i have is how the 'Refresh' tokens work. When do they 'kick-in' in this whole process.


1 answer

  • answered 2018-03-13 20:16 mackie

    Long story short, it's up to the client to be responsible for renewing tokens it uses. This can be based on the known expiry time (with a bit of a buffer) but OAuth also defines standard error responses from API endpoints that can indicate to a client that a new token is required. Clients should respect these and act accordingly. It depends on the grant type being used to. E.g. using client credentials, although maybe the most efficient, it be desirable to get a new token for every call or "session" (i.e. multiple calls related to processing a given task) to avoid this complexity.