Menu
Based upon The OAuth 2.0 Protocol Refresh Tokens are used to re-authenticate access token and mainly to maintain revoking by saving refresh tokens into Database and control them. What is the benefit of doing this? Why not to save Access Token itself?
715
Access tokens are short lived they normally only work for 1 hour. In order to get a new access token you use the refresh token.
Page 24
Authorization servers SHOULD issue access tokens with a limited
lifetime and require clients to refresh them by requesting a new
access token using the same assertion if it is still valid.
Otherwise the client MUST obtain a new valid assertion.
By sending a refresh token and requesting a new access token this gives the authentication server a chance to verify that you still have access and the user has not revoked your access.
Answering why below:
The reason access tokens are short lived is that if they are compromised the attacker has a limited amount of time to use it. It will normally expire within an hour.
If the refresh token is compromised it is useless because the hacker doesn't have access to the client id which must be sent to the authentication server at the same time to get a new access token.
153
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
