Menu
I am trying to access an authorization server that issues short lived access tokens and longer lived refresh tokens when a user presents a username and password.
215
When to use Refresh Tokens? The main purpose of using a refresh token is to considerably shorten the life of an access token. The refresh token can then later be used to authenticate the user as and when required by the application without running into problems such as cookies being blocked, etc.
You can use a refresh token only to generate an access token; you can't use it to make an authenticated API call. This is useful in cases where the client making API calls doesn't have access to the private key. A third-party system can generate the refresh token and provide it to the client making API calls.
The Refresh token has a sliding window that is valid for 14 days and refresh token's validity is for 90 days.
So why does a web application need a refresh token? The main reason to use refresh tokens in web applications is to reduce the lifetime of an access token. When a web application obtains an access token with a lifetime of five to 10 minutes, that token will likely expire while the user is using the application.
Question 1:
Should the client pass the refresh token on every call to the API along with the access token or should the client only pass the refresh token once they receive an error code from the API that the access token has expired?
The client does not need the Refresh Token until the Access Token has expired. Every call needs the Access Token, but only a request to grant a new Access Token needs the Refresh Token.
To obtain a new Access Token, you send a request with the grant_type set to refresh_token, as in section 6 of the RFC.
Ideally, you'd ask for a new Access Token before the current Access Token has expired, so as not to interrupt the service.
Most implementations I've seen issue a new Refresh Token with every Access Token. You can use any valid Refresh Token to obtain a new Access Token.
Question 2:
What type of error code is passed back to the client once the refresh token has expired? This would mean the client needs to request a new access token by passing the username and password again.
Unfortunately, the RFC does not explicitly define the error response; see section 7.2 of the RFC:
If a resource access request fails, the resource server SHOULD inform the client of the error. While the specifics of such error responses are beyond the scope of this specification, this document establishes a common registry in Section 11.4 for error values to be shared among OAuth token authentication schemes.
So, the exact response depends on the server. It should be defined by the server in question.
If the server offers new Refresh Tokens, you'll want to get a new Refresh Token before the current one expires.
You do not want to send the user's credentials again; you're not supposed to have them, let alone keep them. OAuth 2 was designed to allow third parties access to a user's protected resources without seeing the user's credentials.
You will usually get a new Refresh Token with a new Access Token, in a password_grant or a refresh_token call. The RFC does not guarantee this though.
If the server does not give new Refresh Tokens, or cannot be relied upon to give new Refresh Tokens, you will have to ask the user to log in again. Note that this logging in is done via the Authorization Server, which is not necessarily your application. In fact, it's probably not.
78
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
