Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

what's the point of refresh token?

Tags:

authentication

oauth

access-token

refresh-token

i have to confess i've had this question for a very long time, never really understand.

say auth token is like a key to a safe, when it expires it's not usable anymore. now we're given a magic refresh token, which can be used to get another usable key, and another... until the magic key expires. so why not just set the expiration of the auth token as the same as refresh token? why bother at all?

what's the valid reason for it, maybe a historical one? really want to know. thanks

like image 598
wangii Avatar asked May 22 '12 13:05

wangii

People also ask

Why do I need a refresh token?

A refresh token can help you balance security with usability. Since refresh tokens are typically longer-lived, you can use them to request new access tokens after the shorter-lived access tokens expire.

What is the point of JWT refresh token?

The primary purpose of a refresh token is to get long-term access to an application on behalf of a particular user. In a nutshell, a refresh token allows any website or application to regrant the access token without bothering the user.

When should refresh token be used?

So why does a web application need a refresh token? The main reason to use refresh tokens in web applications is to reduce the lifetime of an access token. When a web application obtains an access token with a lifetime of five to 10 minutes, that token will likely expire while the user is using the application.

Should I save refresh token?

The client needs to store the refresh token safely. A malicious attacker gets access to the refresh and access token and uses it to request protected data to the resource server. The malicious attacker can get protected data from the resource server.

1 Answers

I was reading an article the other day by Taiseer Joudeh and I find it very useful he said:

In my own opinion there are three main benefits to use refresh tokens which they are:

  1. Updating access token content: as you know the access tokens are self contained tokens, they contain all the claims (Information) about the authenticated user once they are generated, now if we issue a long lived token (1 month for example) for a user named “Alex” and enrolled him in role “Users” then this information get contained on the token which the Authorization server generated. If you decided later on (2 days after he obtained the token) to add him to the “Admin” role then there is no way to update this information contained in the token generated, you need to ask him to re-authenticate him self again so the Authorization server add this information to this newly generated access token, and this not feasible on most of the cases. You might not be able to reach users who obtained long lived access tokens. So to overcome this issue we need to issue short lived access tokens (30 minutes for example) and use the refresh token to obtain new access token, once you obtain the new access token, the Authorization Server will be able to add new claim for user “Alex” which assigns him to “Admin” role once the new access token being generated

  2. Revoking access from authenticated users: Once the user obtains long lived access token he’ll be able to access the server resources as long as his access token is not expired, there is no standard way to revoke access tokens unless the Authorization Server implements custom logic which forces you to store generated access token in database and do database checks with each request. But with refresh tokens, a system admin can revoke access by simply deleting the refresh token identifier from the database so once the system requests new access token using the deleted refresh token, the Authorization Server will reject this request because the refresh token is no longer available (we’ll come into this with more details).

  3. No need to store or ask for username and password: Using refresh tokens allows you to ask the user for his username and password only one time once he authenticates for the first time, then Authorization Server can issue very long lived refresh token (1 year for example) and the user will stay logged in all this period unless system admin tries to revoke the refresh token. You can think of this as a way to do offline access to server resources, this can be useful if you are building an API which will be consumed by front end application where it is not feasible to keep asking for username/password frequently.

like image 139
Kiarash Avatar answered Sep 29 '22 22:09

Kiarash
Sign in to Comment

Related questions

What does '--user' mean with curl
How Can I Disable Authentication in Django REST Framework
How can I delegate JAAS authorization checks to Shiro?
Web API token authentication with a custom user database
Securing an API: SSL & HTTP Basic Authentication vs Signature
Flask user authentication
Sending back a JSON response when failing Passport.js authentication
Determine Domain and username used to map a network drive
Return more info to the client using OAuth Bearer Tokens Generation and Owin in WebApi
Can't create backup mongodump with --db. Authentication failed
SignInManager,what it is and how,when to use?
Get public page statuses using Facebook Graph API without Access Token
Firebase confirmation email not being sent
Configuring Spring Security 3.x to have multiple entry points
Authentication in Ionic/Cordova App
Invalid redirect URI on spotify auth
How to "soft delete" user with Devise
SQLSTATE[HY000] [1698] Access denied for user 'root'@'localhost'
Authentication with AngularJS, session management and security issues with REST Api WS
Where to store the refresh token on the Client?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!