0

It seems that OAuth 2.0 has 2 different types of tokens.

1: access tokens
2: refresh tokens

According to the Google doc for "API Client Library for Python: Getting Started" ...

When a user grants your application access, the OAuth 2.0 authorization server provides your application with refresh and access tokens. These tokens are only valid for the scope requested. Your application uses access tokens to authorize API calls. Access tokens expire, but refresh tokens do not. Your application can use a refresh token to acquire a new access token.

On the surface, this sounds like unnecessary complexity to me.
Simple is better than complex.
Why do we need 2?
What is gained by the additional complexity of having to manage 2?

Alex Ryan
  • 3,719
  • 5
  • 25
  • 41

1 Answers1

0

Seems like this is a duplicate question.

"The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it.

Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token."

Why Does OAuth v2 Have Both Access and Refresh Tokens?

Community
  • 1
  • 1
Alex Ryan
  • 3,719
  • 5
  • 25
  • 41