What is the purpose of a “Refresh Token”?

by

Basically, refresh tokens are used to get new access token.

To clearly differentiate these two tokens and avoid getting mixed up, here are their functions given in The OAuth 2.0 Authorization Framework:

  • Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server.
  • Refresh Tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope.

Now, to answer your question on why you were still being issued a refresh token instead of just securing an access token, the main reason provided by Internet Engineering Task Force in Refresh tokens is:

There is a security reason, the refresh_token is only ever exchanged with authorization server whereas the access_token is exchanged with resource servers. This mitigates the risk of a long-lived access_token leaking in the “an access token good for an hour, with a refresh token good for a year or good-till-revoked” vs “an access token good-till-revoked without a refresh token.”

For a more detailed and complete information of OAuth 2.0 Flow, please try going through the following references:

More Related Contents:

  1. Google OAuth 2 authorization – Error: redirect_uri_mismatch
  2. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  3. Why is there an “Authorization Code” flow in OAuth2 when “Implicit” flow works so well?
  4. What if JWT is stolen?
  5. What are the main differences between JWT and OAuth authentication?
  6. What is the Authorized Javascript Origin for a webapp powered by Google Script?
  7. How to specify refresh tokens lifespan in Keycloak
  8. Multiple IdentityServer Federation : Error Unable to unprotect the message.State
  9. Authentication filter and servlet for login
  10. How to secure MongoDB with username and password
  11. Error when connect to impala with JDBC under kerberos authrication
  12. How can I extend ServiceStack Authentication
  13. Socket.IO Authentication
  14. user authentication libraries for node.js?
  15. Forgot Password: what is the best method of implementing a forgot password function?
  16. Authentication with 2 different tables
  17. How to use UrlFetchApp with credentials? Google Scripts
  18. how to implement login auth in node.js
  19. Kafka SASL zookeeper authentication
  20. How to get a JWT?
  21. Oauth 2.0 authorization for LinkedIn in Android
  22. CSRF Token necessary when using Stateless(= Sessionless) Authentication?
  23. What’s a redirect URI? how does it apply to iOS app for OAuth2.0?
  24. IIS7: Setup Integrated Windows Authentication like in IIS6
  25. Python request with authentication (access_token)
  26. OWIN – Authentication.SignOut() doesn’t seem to remove the cookie
  27. How to use Windows Active Directory Authentication and Identity Based Claims?
  28. In Subversion can I be a user other than my login name?
  29. Single sign-on flow using JWT for cross domain authentication
  30. How can I use persisted cookies from a file using phantomjs

Leave a Comment