When to refresh token?

Question

I have application that continuously running in background. The app uses UCWA REST api. After authentication I get OAuth token and some expiration time. Authentication docs say "The lifetime of a token is eight (8) hours for authenticated users. The client application should monitor the expiration time and refresh the token as required". So, when is it required to refresh token? What expiration time should I have in reserve when starting refreshing token? 1, 10 or 60 minutes? What are OAuth best practices?

Answer 1

The response from ticket service will provide the user with the OAuth token, type of token, and an expiration value. This value is measured in seconds which means you can divide out minutes (60) or hours (3600) to get a value that you can expect requests to start failing with 401 Unauthorized. Monitoring is most useful when the application is using anonymous meeting join because the token expiration is much shorter, ~1 hour, and it is the only authentication mechanism to directly offer renewing a token.

This leads to two potential approaches:

• If using anonymous meeting join
  • Check expiration value found in authentication response and start a timer less than the expected value (maybe 1-3 min less)
  • When timer expires refresh the OAuth token
• If not using anonymous meeting join
  • Send requests until a 401 occurs
  • Check response headers for WWW-Authenticate and send another authentication request to get new token
  • Re-issue request with new token

It is better to wait for the 401 to come before taking action to refresh the token in a non-anonymous meeting join scenario.