OAuth2 - Refresh tokens

hakhilesh · April 24, 2017, 8:48am

I want to understand how the usage of a refresh token works. I am posting a request to the /oauth/token endpoint, with a grant type of ‘refresh_token’, for which I get a new access token as well as a new refresh token. This I see, invalidates the previous refresh token from requesting for additional access tokens. Can someone explain to me a use case of such a mechanism for the refresh token? Is there no grant type by which I can only get a new access token?

I was of the assumption that, since the refresh token is long lived, that we store it securely and use it to fetch new access tokens as required, from the same refresh token, until it expires. I might be missing something in terms of understanding, so some explanation on this would be appreciated.

hakhilesh · April 26, 2017, 9:01am

I hope I haven’t asked something way out of whack :D. Can someone please help me out with this? Thanks in advance

Martin · April 26, 2017, 9:40am

I’m not sure what requires explanation - long-lived refresh tokens can be dangerous, so they are regenerated as soon as they are used.

Since refresh tokens are designed to be used by third-party apps not controlled by the resource owner, you don’t want them floating around after they’ve been used, key rotation is pretty standard practice.

If you are generating tokens for a known app that you control, you may as a well use client credentials grant, it’s much simpler.

hakhilesh · April 26, 2017, 9:48am

Thanks Martin. I guess we were expecting refresh tokens to function slightly differently. This clears up our doubts related to it.