Kind of new to user authorization. After a few researches, I have a general idea of access and refresh token design with JWT. However, I still have a few questions:
1, After user signs in, user gets access and refresh token. Eventually, when user sends certain request, say "reqA", access token expires. Then user needs to send request to auth server with refresh token to get new access token. Then send the reqA again? In short, at some point of time while we are logged in, we need to make three requests just to successfully obtain resources from reqA? If expires duration is fairly short, we are frequently making extra requests just to refresh this access token?
2, From question 1, knowing that access token is expired ONLY by failing a request seems clumsy. When and how should we refresh access token? Should we set up some scheduled interval to refresh access token, listen to some event to fresh, etc in frontend?
3, Or should we somehow check the iat and expiration attributes of the access token before sending any requests and refresh access token as needed (say only refresh within the last 1 minute before it expires).
Thanks