3

I've already seen

Why Does OAuth v2 Have Both Access and Refresh Tokens?

https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

As per my understanding, this is how OAuth v2 works:

1) user sends his credentials to the server which validates it and returns an access_token and a refresh_token

2) user sends this acsess_token along with further requests to identify himself

3) when the access_token expires, the user sends another request to the server with refresh_token and other required parameters asking for a new access_token and refresh_token

Here's my question:

What's the need of a separate refresh_token ? Why not send the old access_token ( which is about to be expired anyway ), for a new one ??

What's the additional advantage of using a refresh_token ?

mrid
  • 5,782
  • 5
  • 28
  • 71

1 Answers1

2

The access token is, in theory, more in play. It could be in a browser, on the server-side of a client, on the authorization server or on a resource server. The access token will be attached to every API request whereas the refresh token should be used much less frequently.

A couple quotations from the web...

Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers. https://www.rfc-editor.org/rfc/rfc6749#section-10.4

[Refresh tokens] are usually subject to strict storage requirements to ensure they are not leaked. https://auth0.com/learn/refresh-tokens/

Basically, if we only had access token, the attack surface would be greater.

Community
  • 1
  • 1
sdoxsee
  • 4,451
  • 1
  • 25
  • 60