For the project I'm currently working on, I'm facing an issue. I've on one side a client that is an angular SPA. On the other side, I've got a web API written in asp.net core 6. The web API is protected by a Jwt and a refresh token.
I've recently added functionality to the client in which a call is triggered every minute to the web API. Everything is working fine but it introduces a problem. These automatic calls have a side effect. They trigger a token refresh so that the user session never ends up.
The call to the API needs the JWT because it needs user identification.
How could I keep this every 1 minute call to the API without triggering the token refresh process?
We finally opted for another solution.
We add a specific header 'noTokenRefresh' to requests that should not cause a token refresh. The interceptor that handles token refresh requests simply ignores requests that have this header.
The request is still sent to the API, which returns a 401 if the token has expired. The interceptor finds the header and does not initiate a token refresh.
This is probably not the most elegant solution, but it works.