So here is the problem we are faced with:
A client is authenticated and provided with two tokens:
Access Tokenwhich can last for perhaps an hour.Refresh Tokenwhich can last for a day, a week or longer.
With this pretext, we can develop a mechanism where every API Response is intercepted by a function which detects an expired token response (Assume 401, but it could also be 422 since some libraries will not be able to process the token if it is invalid - an issue I have had with flask_jwt_extended.) When this is detected, you call the API to refresh your token. Now, there are two possible scenarios:
- The
Refresh Tokenhas expired. - The
Refresh Tokenis still alive.
In the case of 1, you need to send the user back to login and immediately clear any data that has been cached in the browser while he was authenticated.
In the case of 2, you need to obtain and store the new access token, after which you use that token to again call the initial route where your request failed due to an expired access token.
To address the issue of having a shared session, you could also store a flag - token_is_updating in local storage, which would instruct the other session to wait until the token_is_updating flag turns to false. This can be done via a shared local session within the browser.