As pointed out in the comments by @Kuba Šimonovský the accepted answer is missing other important factors: Actually, it is much much much more complicated. TL;DR One can infer that the refresh token lifespan will be equal to the smallest value among (SSO Session Idle, Client Session Idle, SSO Session Max, and Client Session Max). … Read more
TL;DR: You need to define a communication protocol between a RetryPolicy, a DelegatingHandler and a TokenService. In case of Typed Clients you can explicitly call the ExecuteAsync and use the Context to exchange data between the to-be-decorated method and the onRetry(Async) delegate. This trick can’t be used in a named client situation. What you need … Read more
Yes, the refresh token is used to obtain a new access token. When you request the access token for the first time, you usually start by sending a token request to the token endpoint, in case of the so called Resource Owner Password Credentials Grant with user credentials in the request header, e.g. grant_type=password&username=user1&passowrd=very_secret when … Read more
Basically, refresh tokens are used to get new access token. To clearly differentiate these two tokens and avoid getting mixed up, here are their functions given in The OAuth 2.0 Authorization Framework: Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access … Read more
The link to discussion, provided by Catchdave, has another valid point (original, dead link) made by Dick Hardt, which I believe is worth to be mentioned here in addition to what’s been written above: My recollection of refresh tokens was for security and revocation. <…> revocation: if the access token is self contained, authorization can … Read more