Implementing expiration tolerance in OAuth clients

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

http://github.com/spring-projects/spring-security-oauth

Apache License 2.0

4.69k stars 4.04k forks source link

Implementing expiration tolerance in OAuth clients #1025

Open gonzalad opened 7 years ago

gonzalad commented 7 years ago

Hello,

As I understand it, a token is renewed when it is expired.

We can have the following scenario :

OAuth Client calls a REST Service (accessToken is not expired - but quite)
REST Service receives the call and when validating the accessToken, the token has expired.

Could we implement an expiration tolerance (i.e. client-side), meaning the client will refresh the token a few moments (configurable) before its expiry ?

chrylis commented 5 years ago

This seems like the usual case where clients attempt to refresh their tokens something like 70% of the way into the lifetime.