oauth tutorial - OAuth Refresh Token - oauth2 tutorial - oauth authentication
What is a Refresh Token?
- A Refresh Token is a special kind of token that can be used to obtain a renewed access token -that allows accessing a protected resource- at any time.
- You can request new access tokens until the refresh token is blacklisted.
- Refresh tokens must be stored securely by an application because they essentially allow a user to remain authenticated forever.
How Refresh Tokens work?
- Whenever an Access Token is required to access a protected resource, a client may use a Refresh Token to get a new Access Token issued by the Authentication Server.
- Although Access Tokens can be renewed at any time using Refresh Tokens, they should be renewed when old ones have expired, or when getting access to a new resource for the first time. Refresh Tokens never expire.
- They are usually subject to strict storage requirements to ensure they are not leaked. Nevertheless, they can be blacklisted by the authorization server.
learn oauth tutorial - oauth refresh token - oauth example
Refresh tokens are the credentials that can be used to acquire new access tokens.
- The lifetime of a refresh token is much longer compared to the lifetime of an access token.
- Refresh tokens can also expire but are quiet long-lived.
- When current access tokens expire or become invalid, the authorization server provides refresh tokens to the client to obtain new access token.
- The following figure illustrates the process of refreshing an expired Access Token.
learn oauth tutorial - oauth refresh token - oauth example
- Step 1 − First, the client authenticates with the authorization server by giving the authorization grant.
- Step 2 − Next, the authorization server authenticates the client, validates the authorization grant and issues the access token and refresh token to the client, if valid.
- Step 3 − Then, the client requests the resource server for protected resource by giving the access token.
- Step 4 − The resource server validates the access token and provides the protected resource.
- Step 5 − The client makes the protected resource request to the resource server by granting the access token, where the resource server validates it and serves the request, if valid. This step keeps on repeating until the access token expires.
- Step 6 − If the access token expires, the client authenticates with the authorization server and requests for new access token by providing refresh token. If the access token is invalid, the resource server sends back the invalid token error response to the client.
- Step 7 − The client authenticates with the authorization server by granting the refresh token.
- Step 8 − The authorization server then validates the refresh token by authenticating the client and issues a new access token, if it is valid.