Refresh Token Strategy

I am writing a client that needs to authenticate using a token and when the token is expired using the refresh token to create another pair of access and refresh token. If I’m not mistaken ther are two ways to deal with that and they can even be combined. So I want some advice which one to use.

a) Before a call check the expiration date of the access token. If expired get a new one using the refresh token.

b) Do the call with the current access token and when it fails, use the refresh token to get a new access token and try again.

From my perspective, the second one is better. Please let me know if there is a gold standard.


From my point of view, you’re making less calls if you check on your side and refresh if expired or actually would be better to do it before it’s expired.

Not sure this is gold standard but seems better for you keycloak load

Interested to know if there is any good way to do this

I understand that - from a performance point - it is better to check if expired and then refresh (upfront the real call). But tokens can also be invalid for other reason… That means I still need to have the backup process to refresh when there is an auth error, correct?

I can think of a token that has been manually invalidated, in this case you’ll have to wait the next refresh to know.

Or maybe new role or scope granted to the user, is it really an issue be see them a couple of minutes later ?

the token shouldn’t be invalid, it can’t be modified as it is signed …

what use case are you thinking about ?

I just read which basically means both approach are ok…