I was doing react native app and using OAuth2 and get access token, refresh token and expire in time when I log in my App. I checked my token expire in time when I send a request (GET, POST). If my token expired, then I used a refresh token to get a new access token. My co-worker told me, I don't need check expired time, just use a refresh token to get access token every time I sent the request. I know his way is not properly, but what could be happened if I use his way? Why is it bad to refresh access token every time when I sent requests?
I was doing react native app and using OAuth2 and get access token, refresh token and expire in time when I log in my App. I checked my token expire in time when I send a request (GET, POST). If my token expired, then I used a refresh token to get a new access token. My co-worker told me, I don't need check expired time, just use a refresh token to get access token every time I sent the request. I know his way is not properly, but what could be happened if I use his way? Why is it bad to refresh access token every time when I sent requests?
Share Improve this question asked Feb 18, 2020 at 2:21 kiritotykiritoty 1851 gold badge2 silver badges10 bronze badges2 Answers
Reset to default 6Because it increases the network round trips and makes your application slower than it needs to be, and increases the load on the token service.
That way lies scaling problems and terrible user experience.
Your co-worker probably advised you to do this, which is how I always code these things:
- Send the current access token to the API on each request
- Eventually the access token will return 401
- Then use the refresh token to get a new access token + retry the API call
- Eventually the token renewal request will fail with an invalid_grant error and the user has to login again
That is, you refresh only when the access token expires and not on every single request. You avoid relying on the access token expiry time, since APIs can reject tokens for multiple reasons.