1

I am making an OAuth 2.0 request and it is returning me JSON with refresh_token and access_token, why are there are 2 in OAuth2.0?

  • Which one is short lived?
  • What is the purpose of both?

I read this question on SO but that didn'e helped me much, Any help in this regard will be appreciated Thanks

Community
  • 1
  • 1
user3646405
  • 55
  • 7

1 Answers1

1

The access token is what you will use to authenticate your service requests. It generally contains details about the user or is directly mapped to the permissions about the user and the permissions that he has granted.
These tokens are short lived - something like one hour, the actual duration differs per provider.

The refresh tokens on the other hand are used to get a new access token when the one that you have expires. They have a much longer (sometime infinite, until explicitly revoked) lifetime.

Now, let's consider an end to end scenario. Let's say you create an app that does Facebook actions on a user's behalf - post on their timeline etc.

  • Your app redirects the user to log in to Facebook - you use Facebook SDK for this.
  • When the user successfully logs in and gives you the required permissions (post on timeline) you get an access token and a refresh token.
  • Your app can now hit the Facebook API to post on the user's timeline on his behalf with the access token. This token can be used for one hour (or whatever time the access token is valid)
  • Once the token is about to expire, you can hit a Facebook API to refresh the access token, as this one is about to expire. So, you call into the API with refresh + access tokens.
  • The API returns a new access token to you - you can use this now till it expires.

PS - This is not how it happens for Facebook actually. This was just a random example to explain how refresh and access tokens differ.

If this makes sense, go back to the question that you have linked. It has some really good answers. :)

divyanshm
  • 6,600
  • 7
  • 43
  • 72
  • awesome, now the other question makes sense... PS sorry I cant upvote your answer due to reputation, Thank you anyways :) – user3646405 Sep 06 '14 at 19:22
  • That's perfectly fine. Glad that the explanation helped. – divyanshm Sep 08 '14 at 03:01
  • So it seems like the main benefit of Refresh Tokens is that the user doesn't have to explicitly give your app permission to perform an action -- they give permission one time, you receive an access token / refresh token, and then you use that refresh token to get another access token? I guess that's why the grant-type is request_token? – Byte Lab Oct 23 '14 at 18:32