I was in a discussion with a customer today and we talked about how to reduce the number of calls to Kong API Gateway.
This particular API Gateway is only for internal applications communication, thus Client Credential Grant is configured on each endpoint.
The main concern was that prior to each endpoint call, the internal applications have to make a call to request for a OAuth2 access token. This will be 2 calls to the Kong API Gateway per endpoint.
But, hey, if this is a setup of internal applications communication, we can increase the access token timeout. And it is programming best practice to reuse established access token, rather than to get a new access token prior to each endpoint call.
There's a choice.
The APIs are not exposed to the public. If the application teams within the same company cannot cooperate with one another, there's nothing we can do about it.
The customer continued to probe further: "Can't we ask the application team to use the OAuth2 refresh token to exchange for a new OAuth2 access token?"
But... this is Client Credential Grant type. There's no refresh token generated.
Refresh tokens are only provided when retrieving a token using the Authorization Code or User Credentials grant types.