How to know that access token has expired?

Question

How should client know that access token has expired, so that he makes a request with refresh token for another access token?

If answer is that server API will return 401, then how can API know that access token has expired?

I'm using IdentityServer4.

Answer 1

Your api should reject any call if the containing bearer token has already been expired. For a webapi app, IdentityServerAuthenticationOptions will do the work.

But your caller Web application is responsible for keeping your access_token alive. For example, if your web application is an ASP.Net core application, you may use AspNetCore.Authentication.Cookies to authenticate any request. In that case, you can find the information about the token expiring info through OnValidatePrincipal event.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationScheme = "Cookies",
    //ExpireTimeSpan = TimeSpan.FromSeconds(100),
    AutomaticAuthenticate = true,
    AutomaticChallenge = true,
    Events = new CookieAuthenticationEvents()
    {
        OnValidatePrincipal = async x =>
        {
            if (x.Properties?.Items[".Token.expires_at"] == null) return;
            var now = DateTimeOffset.UtcNow;

            var tokenExpireTime = DateTime.Parse(x.Properties.Items[".Token.expires_at"]).ToUniversalTime();
            var timeElapsed = now.Subtract(x.Properties.IssuedUtc.Value);
            var timeRemaining = tokenExpireTime.Subtract(now.DateTime);

            if (timeElapsed > timeRemaining)
            {
                //Get the new token Refresh the token
            }
        }
    }
}

I have added a full implementation about how to get a new access token using refresh token in another StackOverflow answer