Stack Overflow
Stack Overflow

Questions tagged [refresh-token]

A Refresh Token is a special kind of token that can be used to obtain a renewed access token —that allows accessing a protected resource— at any time.

999 questions
823
votes
21 answers

Why Does OAuth v2 Have Both Access and Refresh Tokens?

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new…
dave mankoff
  • 17,379
  • 7
  • 50
  • 64
264
votes
11 answers

What is the purpose of a "Refresh Token"?

I have a program that integrates with the YouTube Live Streaming API. It runs on timers, so its been relatively easy for me to program in to fetch a new Access Token every 50 minutes with a Refresh Token. My question is, why? When I authenticated…
Jason Axelrod
  • 7,155
  • 10
  • 50
  • 78
90
votes
5 answers

What's the point of refresh token?

I have to confess I've had this question for a very long time and never really understood. Say an auth token is like a key to a safe; when it expires it's not usable anymore. Now we're given a magic refresh token, which can be used to get another…
wangii
  • 2,570
  • 1
  • 22
  • 29
82
votes
4 answers

How to specify refresh tokens lifespan in Keycloak

Keycloak refresh token lifetime is 1800 seconds: "refresh_expires_in": 1800 How to specify different expiration time? In Keycloak admin UI, only access token lifespan can be specified:
rok
  • 9,403
  • 17
  • 70
  • 126
35
votes
5 answers

Why are Refresh Tokens considered insecure for an SPA?

I was reading the documentation on the Auth0 site regarding Refresh Tokens and SPA, and they state that SPA's should not use Refresh Tokens as they cannot be securely stored in a browser, and instead use Silent Authentication instead to retrieve new…
Eric B.
  • 23,425
  • 50
  • 169
  • 316
33
votes
1 answer

How to Handle Refresh Token When Multiple Requests are going out?

I am using reactjs, mbox and axios and ran into a problem. I have a api that gives out an access token and a refresh token. The access token dies every 20mins and when this happens the server sends a 401 back and my code will automatically send the…
chobo2
  • 83,322
  • 195
  • 530
  • 832
23
votes
1 answer

What's the whole point of a JWT refresh token?

I've been reading about this for a while, and nothing makes sense, and the explanations are conflicting, and the comments are proving that. So far what I understood is that JWTs are storing information encoded by the server, can have expiry times,…
Gergő Horváth
  • 3,195
  • 4
  • 28
  • 64
22
votes
7 answers

How to secure a refresh token?

I'm using JWTs for authenticating users for my app. When a user logs in they are given an access token and a refresh token. To keep the refresh token safe, I don't store it on the client-side, but save it on the back-end with their account so it's…
Abdul Ahmad
  • 9,673
  • 16
  • 64
  • 127
21
votes
4 answers

Using Polly to retry after HttpStatusCode.Unauthorized

I'm making calls to an external API and want to deal with the event that a call returns an Unauthorized HttpResponseMessage. When this happens I want to refresh the access token and make the call again. I'm trying to use Polly with the following…
Vinyl Warmth
  • 2,226
  • 3
  • 25
  • 50
20
votes
2 answers

Handling Expired Refresh Tokens in ASP.NET Core

See below for code that solved this issue I'm trying to find the best and most efficient way to deal with a refresh token that has expired within ASP.NET Core 2.1. Let me explain a bit more. I am using OAUTH2 and OIDC to request Authorization Code…
bugnuker
  • 3,918
  • 7
  • 24
  • 31
20
votes
1 answer

How do I use oauth2 and refresh tokens with the google api?

So I just spent the last few days trying to figure this out and am asking this question so that I can answer it for other people who are having problems. First, the google documentation is TERRIBLE and uses different oauth2 libraries depending on…
user1626536
  • 793
  • 1
  • 6
  • 14
19
votes
4 answers

AddOpenIdConnect and Refresh Tokens in ASP.NET Core

I have added AddOpenIdConnect to the ConfigureServices method of my ASP.NET Core 3.1 Razor application. It works great until the token expires, then I get 401 responses from my IDP. I have seen an example that shows a way to wire up refresh tokens…
Vaccano
  • 78,325
  • 149
  • 468
  • 850
19
votes
2 answers

How do I get a refresh token in Laravel Passport?

I'm using Laravel 6.7 and attempting to use Passport for user authentication. I'm able to create an access token for the user when they register. Here is the code: $user = User::create($input); $user->createToken('auth-token'); This access token…
UndercoverCoder
  • 953
  • 3
  • 13
  • 28
18
votes
1 answer

Should I explicitly send the Refresh Token to get a new Access Token - JWT

In my application, I return an access token and a refresh token when a user logs in successfully. The expiration times for access and refresh token have been set to 10 and 40 minutes respectively. (I should do some more research on those values.…
vigamage
  • 1,975
  • 7
  • 48
  • 74
16
votes
2 answers

Angular 8 Intercept call to refresh token

I am trying to refresh access token if current access token is expired. I am sending multiple requests at one time and I want to make a kind of a queue, so other requests won't request refreshing token route. I've googled some best practises and…
AntGrisha
  • 409
  • 1
  • 3
  • 13
1
2 3
66 67