Refresh token - exact sequence of operations?

Question

Can anyone advise what is the proper sequence of using refresh token to generate new access token as a conception (in my case ASP.NET + Identity Server 4 and Angular front-end client). I mean I can implement it programmatically - issuing access token, issuing access token using a refresh token, but in real world implementation I cannot think of the whole flow.

For example -> I send my access token from my Angular client inside the Http Request Headers, then it is read by my API. I can check the token for expiration and if its expired how to implement the whole refresh token process?

In the beginning I thought the following process:

0. Token is sent from front end in the Http Headers to the API
1. Token is validated in the API
2. If it is expired -> in the API, issue new access token using refresh token
3. Use the new access token -- repeat process in recursive method --

But with this flow, even if someone steals my expired Token and send it again the API will still simply get new token and proceed with the endpoint.

Answer 1

In OAuth flows, the client refreshes the access token. The API's only role is to return a 401 error response when the access token is expired. This prevents the threat you mention.

Some website backends may refresh an OAuth access token, in which case the website is still acting as a client. The website is configured with a client ID and client secret to enable this. An API should never know these details.