Oauth - Refresh token

> Software Security > (Authentication|Access control|Identification) - AuthN > Oauth 2.0 - Authorization framework

1 - About

When an access token expires, developers can use an optional refresh token to request a new access token without having to ask the user to enter their credentials again.

Refresh tokens are credentials used to obtain:

  • access tokens when the current access token becomes invalid or expires,
  • additional access tokens with identical or narrower scope (access token may have a shorter lifetime and fewer permissions than authorized by the resource owner).
Advertising

3 - Structure

A refresh token is a string representing the authorization granted to the client by the resource owner.

The string is usually opaque to the client.

The token denotes an identifier used to retrieve the authorization information.

Unlike access tokens, refresh tokens are intended for use only with token endpoint (authorization servers component) and are never sent to resource servers.

4 - Management

4.1 - Creation

Refresh tokens are issued to the client by the token endpoint (authorization server component).

Issuing a refresh token is optional at the discretion of the authorization server. If the token endpoint (authorization server component) issues a refresh token, it is included when issuing an access token

4.2 - Flow

where:
Get the first refresh token

Client gets resources until the access token is valid

Client asks for new access token with refresh token

Advertising

5 - Documentation / Reference

security/auth/oauth/refresh.txt · Last modified: 2019/04/30 09:21 by 162.158.154.185