So, we've got SOA on the backend (BE) and on the frontend (FE) we've got micro-frontends (the separate micro-frontends are loaded as components into the frontend app when needed, so internal process calls between them are possible, unlike the backend services, where between-process calls must be done).
On the BE we've got an Auth service and some other Bananas service. On the FE we've got also an auth micro-frontend and whatever other bananas micro-frontend. Imagine a user's access token has expired and he makes a request to /bananas/create. Each of our BE services of course validates the access token received on each request, and if invalid - return 401. We want to implement refresh token functionality (the refresh token will be passed alongside the access token with each request).
Now the question is: if a request with an expired token is received:
- should the
Bananasservice, when seeing the token is expired, make a call to theAuthservice to validate therefresh tokenand receive a new pair of tokens, then perform the actual bananas business and respond with the token pairs + the actual bananas data. All in 1 call. Or... - should the
Bananasstill return401, then the bananas micro-frontend delegates to the auth micro-frontend to call theAuthservice for new tokens, then return it to the bananas micro-frontend and it to make a new call to theBananasservice, with valid tokens?
This is the dilemma of design between me an my colleague. My point is that I don't want to have a 3 request-response calls back-and-forth. He argues that the Bananas service should always only return bananas data in its response objects, and not have cases when it also returns token pairs.
As I see it, both our points are valid, but we do not have the experience and knowledge to decide which has bigger priority/which is the better design.
