I am now using web server authentication flow along with refresh token flow in my system. Once a user granted a permission for the app to access, the app will request a permission, an access token and refresh token. Web server authentication would be required only once. Both acquired tokens would be stored and the access token would be refreshed if expired.
Is this a good practice? Should web server authentication flow always be used with refresh token flow? When should we use refresh token to get the access token anew?
Is it acceptable to just use web server authentication flow every time to get a new authentication code and a new access token? Because the user logs in process seems to be skipped if the user has already granted the permission to the app.
Any guidance would be much appreciated!
Best Answer
What I have done in that situation is the following:
Basically I have 2 methods - 1 uses the access token to make calls (if access token is present) and another one that uses the refresh token if the access token is not present or session has expired, to obtain a new access token.
At first I always try to use the access token, assuming it's still valid. If that fails, I am calling the 2nd method that uses the refresh token to obtain new access token and if that one fails for X reason, then I'm just redirecting the user to the normal login screen. If a new access/refresh token is returned in a success case, obviously I'm storing the new tokens and use them in the future.
I haven't seen best practice documentation around these scenarios yet but I reckon you should be always trying to use the access token first.