Access and Refresh Tokens
- thierry sinassamy
We use tokens to authenticate users and authorize requests without keeping session data on the server. Tokens are data confirming a user’s identity and are analogous to digital signatures.
An access token (from an authorization server) allows temporary access to restricted resources such as APIs or websites. Generally, access tokens are valid for only a few minutes or hours, depending on the setting to safeguard the resource server.
Refresh tokens : In OAuth 2.0 authorization frameworks, refresh tokens allow developers to manage users’ sessions across native, web-based, and single-page apps. They allow users to log in and stay connected without providing their passwords for long periods. Further, they add a layer of security for sensitive data, improving the user experience.
When the Token is invalid ?
the resource server refuse to fulfill the request and sends an invalid response
the app sends a new access token request using the refresh token
the authorization server uses the previously supplied refresh token and sends a new access token