Why do access tokens expire?

by

This is very much implementation specific, but the general idea is to allow providers to issue short term access tokens with long term refresh tokens. Why?

  • Many providers support bearer tokens which are very weak security-wise. By making them short-lived and requiring refresh, they limit the time an attacker can abuse a stolen token.
  • Large scale deployment don’t want to perform a database lookup every API call, so instead they issue self-encoded access token which can be verified by decryption. However, this also means there is no way to revoke these tokens so they are issued for a short time and must be refreshed.
  • The refresh token requires client authentication which makes it stronger. Unlike the above access tokens, it is usually implemented with a database lookup.

More Related Contents:

  1. Can I really not ship open source with Client ID? [closed]
  2. Sign in with Google temporarily disabled for this app
  3. Disable checkboxes on Google consent screen
  4. How to change Google consent screen email?
  5. OAuth 2.0 with Google Analytics API v3
  6. gapi.auth.signOut(); not working I’m lost
  7. Google API OAuth2, Service Account, “error” : “invalid_grant”
  8. Get user info via Google API
  9. How is OAuth 2 different from OAuth 1?
  10. CORS issue while making an Ajax request for oauth2 access token
  11. How to validate an OAuth 2.0 access token for a resource server?
  12. What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
  13. Restrict Login Email with Google OAuth2.0 to Specific Domain Name
  14. Using Postman to access OAuth 2.0 Google APIs
  15. OAuth2 and Google API: access token expiration time?
  16. OAuth 2.0: Benefits and use cases — why?
  17. What is the purpose of the implicit grant authorization type in OAuth 2?
  18. How to specify the scope of Google API to get the birthday
  19. Difference between OAuth 2.0 “state” and OpenID “nonce” parameter? Why state could not be reused?
  20. JWT (Json Web Token) Audience “aud” versus Client_Id – What’s the difference?
  21. client secret in OAuth 2.0
  22. LinkedIn OAuth2: “Unable to verify access token”
  23. OAuth Authorization vs Authentication
  24. Getting a 403 – Forbidden for Google Service Account
  25. How can I verify a Google authentication API access token?
  26. How to correctly use Google Plus Sign In with multiple activities?
  27. Where can I get Google developer key
  28. Netsuite OAuth Not Working
  29. Access to Google API – GoogleAccountCredential.usingOAuth2 vs GoogleAuthUtil.getToken()
  30. How to renew the access token using the refresh token?

Leave a Comment