We have decided to switch from Hazelcast shared session to Stateless JWT authentication/authorization with OAuth2 and found out a problem that doesnt fit our infrastructure described below.
So we have multiple Self-contained systems (scs) that may be accessed by direct link i.e. mysite.com/scs1 and mysite.com/scs2.
Each scs has it's own UI and BackEnd, but "session" (implemented via Stateless JWT Authorization) has to be valid across multiple scs'es.
OAuth2 Authorizaion Server is a dedicated server (UAA). In the OAuth2 terminology, each scs is a Resource Server.
Let's assume that user has logged into scs1 (via UAA) and got JWT with TTL=10 minutes and RefreshToken with TTL=30 minutes. Then he leaves that tab in browser for 15 minutes. JWT expires, but the tab still contains the previous page from scs1. And user clicks a link on that page that follows to mysite.com/scs3.
scs3 receives a request, checks JWT and finds out that it has expired. But we have a RefreshToken (still alive for 15 minutes) that may refresh JWT.
Is it possible to return a response from scs3 that would ask browser to go to UAA and silently refresh JWT ?
Maybe some kind of REDIRECT to /uaa/authorization with an ability to add RefreshToken Header?
We have finally found out how to deal with token refresh in our case.
JWT has TTL=10min RefreshToken has TTL=30min
Javascript, embedded in each page of our site refreshes JWT each 8-9 minutes. So when User has an opened tab in his browser, the refresh procedure will happen seamlessly.
A corner case is when User:
At this point the BackEnd receives only JWT which is expired. So BackEnd redirects User to a dedicated web-page /try-refresh?uri=mysite.com/scs1