Oauth - Refresh token

1 - About

When an access token expires, developers can use an optional refresh token to request a new access token without having to ask the user to enter their credentials again.

Refresh tokens are credentials used to obtain:

  • access tokens when the current access token becomes invalid or expires,
  • additional access tokens with identical or narrower scope (access token may have a shorter lifetime and fewer permissions than authorized by the resource owner).

3 - Structure

A refresh token is a string representing the authorization granted to the client by the resource owner.

The string is usually opaque to the client.

The token denotes an identifier used to retrieve the authorization information.

Unlike access tokens, refresh tokens are intended for use only with token endpoint (authorization servers component) and are never sent to resource servers.

4 - Management

4.1 - Creation

Refresh tokens are issued to the client by the token endpoint (authorization server component).

Issuing a refresh token is optional at the discretion of the authorization server. If the token endpoint (authorization server component) issues a refresh token, it is included when issuing an access token

4.2 - Flow


mermaid.initialize({
    startOnLoad:true,
    sequence:{
            useMaxWidth:true,
            boxTextMargin:5
    }
});


<div class="mermaid">
sequenceDiagram
    participant CL as Client
    participant RS as Resource Server
    participant AS as Token Endpoint
    alt Get the first refresh token
        CL->>AS: (A) Presents an authorization grant
        AS->>CL: (B) Issues an access token and a refresh token.
    end
    loop Access Token Valid
        CL->>RS: (C) Presents a Access Token
        RS->>CL: (D) Serves the Protected Resource
        RS->>CL: (D') or Returns an invalid token error
    end 
    alt When Access Token expires
        CL->>AS: (E) Presents the Refresh Token 
        AS->>CL: (F) Issues a new access token and refresh token
    end
</div>

where:
Get the first refresh token

Client gets resources until the access token is valid

Client asks for new access token with refresh token

5 - Documentation / Reference


Data Science
Data Analysis
Statistics
Data Science
Linear Algebra Mathematics
Trigonometry

Powered by ComboStrap