In my system the authentication strategy is the responsabilities of the clients. The auth system only provides tokens via the /auth and /refresh_token routes given respectively a usn/pwd or a valid token.
So the client can refresh the token when they are close to expire or just auth again after expiration.
So the client can refresh the token when they are close to expire or just auth again after expiration.