Rotating OAuth2.0 Refresh Tokens
Hi All!
I'm integrating with an API which uses OAuth2.0. The API provider would seem to have opted for the uber-secure option of rotating refresh tokens each time an access token is refreshed and also revoking all tokens if a refresh token is reused (assumed man-in-the-middle attack).
I would like to have a wrap the API in a resource that ops can use, which handles the auth (including refreshing access tokens, etc.). I currently store credentials in GCP Secrets Manager, which is accessible as a dagster resource with read-only access to GCP Secrets Manager. But now I will need to be able to store the new refresh token every time the access token is refreshed.
I could,
• keep the refresh token locally in a file (yuk)
• write the rotated refresh token back to GCP Secrets Manager (means write access, rather than read-only access to Secrets Manager)
• ...
Has anyone dealt with this scenario before? Any smart ideas on how to deal with it?