This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Best practise for Oauth2.0 Token generation API

Posted on 08-03-2017 04:44 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hello,

We have created on our edge OAuth2 access token generation API.
High level description:

  1. Retrieve the Access Token from Authorization Server (The edge)
  2. Use the Bearer Token to access the API Resource

I can see a pattern. Most of the internal business unit using our APIs do not implement a best practice. i.e. our "token_generater" API base on the credential is always called no matter if the token is still valid or not. That generate exponential calls to the particularly API. note: we have a 15m token expire.

Furthermore, we often have the question "Why we ca not have a long lasting either never expire token for internal business unit that we trust?"

We trying to educate the consumer to implement the code in a way, that you only make the call if the token is not valid... But that is not working for the last years...

What is the recommendation on this case?

Should we have never expire token for trust internal consumers meaning expires only if the dev_app expires or token is revoked?

Br,
João Paulo

0 4 1,843
Topic Labels
0 Likes
4 REPLIES 4