Best practice/solution to handle OAUTH access token refresh race condition

As stated in the title, I’m looking for a solution to handle access token refresh requests.

The issue is that if multiple requests come in at the same time to create a meeting, and the access token is expired, a refresh request will be sent. Multiple calls to refresh the token will result in a failure because the first request will invalidate the others aka ‘race condition’.

I’ve read several posts on here without any good solution being provided.

My thought is to, after authorization and a exchange for access token:

1. store the access token, expiry time, and refresh token in a database (for scalability).
2. On an API call, fetch info from step 1. If not expired, use it.
3. If expired, set a flag on the table to indicate refresh is in progress. If flag is set, wait 1 second and query again.
4. Fetch refresh token, update database, remove flag.

This seems prone to errors so I’m looking for some working solutions.

Thanks!
Jaime

Hi @jfuhr ,

Thank you for resurfacing this issue! I’m looking into some suggestions from our API team that align with security and API best practices.

Best,
Gianni

Hi @jfuhr ,

Here’s what our API team has recommended:

Customer should see a “Save Access token into Database” error message when there are duplicate requests ‘oauth/token’. Those requests need to wait the first request completed.

I suggest the customer build a flag which can indicate if the new access token is in process, when the first request finds the access token is expired, then try to get the new access token.

Meanwhile it can make the value of flag “is true” (the default value is false), then the value is revised to false after the access token is successfully retrieved. In the process, the other request needs to wait.

Does this help?

Okay, thanks for the assistance