I have a REST API, which I'll call "R". R uses Oauth2 Bearer tokens for auth.
However, R has a fairly complex API, so we're designing a new system called "O" that provides a simpler API. Users will have the choice of making calls to either R or to O. O is like an orchestrator for R. The user can invoke one of the simple APIs on O, and then O will invoke one or more API calls on R. We were thinking that O and R would use the same Oauth2 tokens, so the user would send an Oauth2 token to O, and then O would re-use that same Oauth2 token when it makes calls to R on behalf of the user.
The problem is with the timeout of the Oauth2 tokens. Typically, a call to R will complete in a few seconds. And the Oauth2 token has a timeout that's around 10 minutes. So within those 10 minutes, a typical user of R can easily complete a reasonable number of requests to R.
However, we have use cases in which O will send a long stream of requests to R over a period of time that is longer than 10 minutes. So the question is: What does O do when its Oauth2 token has expired but it still needs to send more requests to R?
One possible solution would be to use a longer timeout when we issue Oauth2 tokens to O.
Another solution might be for O to maintain a refresh token, but I don't love that idea, since I want O to appear to the end-user to be just another REST API, and sending a refresh token to O seems a bit odd.
What other solutions are possible here that would seem reasonably secure? Or should I go with one of the two solutions I mentioned (extending the timeout or using a refresh token)?
And here's a part that I'm really unclear about... So far, the auth that I've described is for authorizing end users, who are coming from outside our firewall. I am also aware of a possible design choice in which internal services (all behind a firewall) can use machine-to-machine tokens for auth. Part of the difficulty here is that R is being used both as an externally-accessible service and as an internal service. Would it make sense for R to accept both Oauth tokens (from external end-users) and also accept machine-to-machine tokens (when invoked by O, which is inside the firewall)?