Versions Compared

Old Version 1

changes.mady.by.user Kai Bjørnstad

Saved on

compared with

New Version Current

changes.mady.by.user Kai Bjørnstad

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An Access Token is a string representing credentials used to obtain access tokens. The Refresh Token is typically used to obtain a new access token when the current access token, issued to the client, becomes invalid or expires. The purpose of the Refresh Token is to allow for short lived Access Tokens (more secure) and at the same time avoid the end-user having to re-authenticate frequently. Hence, the Client Credentials grant does not issue a refresh token. It makes no sense, as the client can simply get another token with the same client credentials.  If the authorization server issues a refresh token, it is included when issuing an access token.

In contrast to the Refresh ID Token, the string is usually opaque to the client. Neither the OAuth2 or the OIDC specifications define any format for the token.

...

Token lifespan

As described in Refresh Access Token, the specification states "Access Tokens might not be revocable by the Authorization Server. Access Token lifetimes SHOULD therefore be kept to single use or very short lifetimes.". It further states that "If ongoing access to the UserInfo Endpoint or other Protected Resources is required, a Refresh Token can be used. The Client can then exchange the Refresh Token at the Token Endpoint for a fresh short-lived Access Token that can be used to access the resource.".

...

In summary, the Refresh Token lifetimes and max reuse (how many times the same Refresh Token can be used without getting a new one) need to be considered carefully and depends on the security/risk level of the associated Security Domain.

Example of decoded Refresh Token

...