0

I have a REST API, which I'll call "R". R uses Oauth2 Bearer tokens for auth.

However, R has a fairly complex API, so we're designing a new system called "O" that provides a simpler API. Users will have the choice of making calls to either R or to O. O is like an orchestrator for R. The user can invoke one of the simple APIs on O, and then O will invoke one or more API calls on R. We were thinking that O and R would use the same Oauth2 tokens, so the user would send an Oauth2 token to O, and then O would re-use that same Oauth2 token when it makes calls to R on behalf of the user.

The problem is with the timeout of the Oauth2 tokens. Typically, a call to R will complete in a few seconds. And the Oauth2 token has a timeout that's around 10 minutes. So within those 10 minutes, a typical user of R can easily complete a reasonable number of requests to R.

However, we have use cases in which O will send a long stream of requests to R over a period of time that is longer than 10 minutes. So the question is: What does O do when its Oauth2 token has expired but it still needs to send more requests to R?

One possible solution would be to use a longer timeout when we issue Oauth2 tokens to O.

Another solution might be for O to maintain a refresh token, but I don't love that idea, since I want O to appear to the end-user to be just another REST API, and sending a refresh token to O seems a bit odd.

What other solutions are possible here that would seem reasonably secure? Or should I go with one of the two solutions I mentioned (extending the timeout or using a refresh token)?

And here's a part that I'm really unclear about... So far, the auth that I've described is for authorizing end users, who are coming from outside our firewall. I am also aware of a possible design choice in which internal services (all behind a firewall) can use machine-to-machine tokens for auth. Part of the difficulty here is that R is being used both as an externally-accessible service and as an internal service. Would it make sense for R to accept both Oauth tokens (from external end-users) and also accept machine-to-machine tokens (when invoked by O, which is inside the firewall)?

Mike W
  • 51
  • 2
  • I assume there is some sort of client who determines which batch requests needs to be sent in what order? If so, the best way to me appears to run through the stack of requests, ask the resource owner for consent again to acquire a new Access Token if a 401 occurs, and resume the request stack with the new token. – Beltway Nov 02 '21 at 15:19

0 Answers0