0

I am trying to understand this access_token, refresh_token feature. And this is what I understood:

-- LOGIN:

CREATES access_token;

CREATES refresh_token, sends to DB;

SENDS refresh_token + access_token to client;

  • access_token expired: API automatically CREATES a new access_token, using refresh_token;

  • refresh_token expired: API DENIES all requests, forcing the client to login again.

And i heard that you need to save the refresh_token on a 'sessions' table of database, or smth like it. But i can't understant why, since the client will/may send the refresh_token on all requests. Making it useless to save to DB.

I don't know if i got anything wrong, i hope you can help me out!

Müller
  • 17
  • 4
  • Does this answer your question? [What is the purpose of a "Refresh Token"?](https://stackoverflow.com/questions/38986005/what-is-the-purpose-of-a-refresh-token) – Progman Jan 25 '23 at 20:25
  • There is something i didnt understand, is this method for third-parties only? "Access tokens are issued to third-party clients" – Müller Jan 25 '23 at 22:22

1 Answers1

0

What is a little bit awkward (or unclear) in your example - which system creates access and refresh tokens, and sends them to the customers?

Based on the description, I would conclude that this is the identity provider - the client authenticated themselves and got those tokens as a result.

Now when the client calls an API (on a resource provider), they have to include the access token with each request. The resource provider would take the access token and validate it. If the access token is not valid, the API just have to return "access denied".

The client has to use the refresh token to get the new access token from the identity provider and repeat the call to the API on the resource provider.

This would be the typical usage of the flow.

The other common use case is to allow a backend system to do api calls on behalf of the client - in those cases, the backend system has both access token and refresh token; so it can maintain the logged in state even if the client is not around.

It might be that your example is some kind of hybrid solution - both customer and the backend do some calls to IDP.

AndrewR
  • 1,252
  • 8
  • 7
  • It was not an example, it was simply how I had understood it so far. But thank you for that usage flow you shared to me. I wasnt sure of how this method works – Müller Jan 26 '23 at 22:54
  • No problem, if I may recommend, please, read about this terms: identity provider and resource provider, and how does a client gets authorized on the resource provider. – AndrewR Jan 26 '23 at 23:35