Refresh Token Grant

This lesson discusses how to get an access token from a refresh token.

As we have seen earlier, the access token is valid only for a certain time frame and it expires after the frame has ended. The reason for this is to ensure security because if the access token gets stolen, the attacker can use it until it expires (which takes a long time) or it is blacklisted on the server.

If the client asks the user to authenticate and authorize every time the access token expires then it will be very frustrating. To avoid this, the client app can use a refresh token. A refresh token is a token that can be used to get the access token when it expires. This should be kept highly confidential, because if an attacker gains access to refresh token then the attacker gets unlimited access to the resources.

There are different settings for refresh tokens which are defined by the authorization server. Some tokens are single-use only and others can be used multiple times. Also, the refresh token expires after some time, but this time is much longer than the expiration time of the access token.

Refresh tokens are usually subject to strict storage requirements to ensure they are not leaked. They can also be blacklisted by the authorization server.

Get hands-on with 1400+ tech skills courses.