8

Based upon The OAuth 2.0 Protocol Refresh Tokens are used to re-authenticate access token and mainly to maintain revoking by saving refresh tokens into Database and control them. What is the benefit of doing this? Why not to save Access Token itself?

Community
  • 1
  • 1
kosnkov
  • 5,609
  • 13
  • 66
  • 107

2 Answers2

13

Access tokens are short lived they normally only work for 1 hour. In order to get a new access token you use the refresh token.

Page 24 

Authorization servers SHOULD issue access tokens with a limited
   lifetime and require clients to refresh them by requesting a new
   access token using the same assertion if it is still valid.
   Otherwise the client MUST obtain a new valid assertion.

By sending a refresh token and requesting a new access token this gives the authentication server a chance to verify that you still have access and the user has not revoked your access.

Answering why below:

The reason access tokens are short lived is that if they are compromised the attacker has a limited amount of time to use it. It will normally expire within an hour.

If the refresh token is compromised it is useless because the hacker doesn't have access to the client id which must be sent to the authentication server at the same time to get a new access token.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • Where does either specification (OAuth 1.0 or 2.0) state that access tokens "normally only work for 1 hour"? Are you sure you're not just making that part up? – user1431072 Nov 12 '14 at 15:01
  • 2
    I am speaking from experience. Google is one hour i believe that Twitter and Facebook are also one hour. This is something that is set up in the authentication server and may differ from server to server. My experience is that all access tokens i have met have expired after an hour. FYI welcome to stack if I made up my answers I would quickly have no rep left. – Linda Lawton - DaImTo Nov 12 '14 at 15:41
  • 3
    A practical reason I implemented it was that your users don't have to keep signing in, without storing their credentials, and a refresh token lets you invalidate the token (log out users) without having to hit the database and load their whole authorization ticket with each request, you only have to do it with each refresh request. Also I don't see the point of the client id and secret you use it with the refresh token to get a new access token, seems to me that if you are able to steal a refresh token you'd probably get the client id and secret too, making them pointless. – rethenhouser2 Apr 01 '15 at 14:39
  • 1
    Why can't client just use expired access token in refresh token request (ofcourse with additional client is). Server can re-issue a new access token then also. As number of request would be same, client will be hitting refresh token flow everytime one access token expires – 404 Not Found Jun 06 '20 at 08:34
  • Becouse thats not how Oauth2 works. YOu might want to read the RFC for Oauth some day. – Linda Lawton - DaImTo Jun 07 '20 at 15:06
1

see Why Does OAuth v2 Have Both Access and Refresh Tokens? for an extended answer that includes the revocation considerations

Community
  • 1
  • 1
Hans Z.
  • 50,496
  • 12
  • 102
  • 115