Why

The Protection API Token (PAT) may have an expired refresh token which would disable operations for the given Resource Owner

How

Have a mechanism that would check the collection of Protection API Tokens (PATs) for a "expiring soon" refresh token.
For those expiring PATs, perform an operation that would generate a new token.

PAT credential

The Resource Server stores the PAT in a credential database and it has the following format:

{
    "access_token" : "goHn5EWMDtq3-0btOC_3SgLTehc",
    "refresh_token" : "z8T-Nsd-aleh94-5n82vhxdmxyw",
    "scope" : "uma_protection",
    "token_type" : "Bearer",
    "expires_in" : 3599
}

The expires_in attribute is for the access_token, there is no information on when the refresh_token will expire. It is assumed that the refresh_token is longer-lived then the access_token. The expiration of the refresh_token is determined by the Authorization Server and could be any value from minutes to "never expire".

Update PAT

A solution would be to update the Protection API Token (PAT) before the refresh_token expires. A "scanner" would check all tokens on a given frequency (most likely daily) and update those that are near to their expiration. The expiration of a PAT would be a configurable value that is derived from the value set by the Authorization Server.

What

PAT database record

The MongoDB record for a credential has the following information:

{
	"_id" : ObjectId("610c54824d55a06d2d5e242e"),
	"data" : {
		"owner" : "dcrane",
		"credential" : {
			"access_token" : "goHn5EWMDtq3-0btOC_3SgLTehc",
			"refresh_token" : "z8T-Nsd-aleh94-5n82vhxdmxyw",
			"scope" : "uma_protection",
			"token_type" : "Bearer",
			"expires_in" : 3599
		},
		"category" : "uma_pat"
	},
	"uid" : "ca4cb6d6-60e6-47af-909d-002411009577",
	"timestamps" : {
		"created" : "2021-08-05T21:13:38.983+0000",
		"updated" : "2021-09-15T15:56:27.554+0000"
	}
}

The timestamp attributes, along with a configurable expiration value, will be used to determine when a PAT needs to be refreshed.