#5. OAuth 2.0 Flow – What Is A Refresh Token?


Understanding the role of a Refresh Token in the authorization process is important. We will learn about the refresh token and how it is used in OAuth 2.0 flow in this post.

Learn From My YouTube Videos

What is a Refresh Token?

A refresh token is a credential that is used to generate a new access token. In the OAuth 2.0 flow, the authorization server issues an opaque string i.e. access token representing the authorization on behalf of the resource owner to the client. An access token may have a duration of access (expiration time) as granted by the resource owner and enforced by the resource server and authorization server.

You can read more about an Access token here.

So when the access token is expired then instead of regenerating the authorization grant to get a new access token, we can use a refresh token to generate a new access token. An access token with a refresh token can be provided to the client by the authorization server. The client needs to generate a new access token by presenting a refresh token to the authorization server. The refresh token cannot be used as an access token.

But please note that issuing a refresh token is optional at the discretion of the authorization server. If the authorization server issues a refresh token, it is included when issuing an access token.

A refresh token is also an opaque string like an access token.

Role of a Refresh Token in OAuth 2.0 Flow

Image source – https://www.rfc-editor.org/rfc/rfc6749#section-1.5

The authorization server provides an access token and a refresh token (Optional) to the client (Step B). The Client uses the provided access token to access the protected resource until the token is expired (STep C, D, E, and F).

When an access token is expired, the client represents the provided refresh token to the authorization server (Step G). The authorization server will provide a new access token and maybe a new refresh token (Step H).

Can a Refresh Token Expire?

A leaked refresh token can put resource owners at risk. Generally, a refresh token is long-lived but it may expire as well. It depends on the authorization server and resource owner. A refresh token can be expired if not used for so long time or a possible misuse is detected by the authorization server.

Once a refresh token is expired, the client needs to ask a resource owner to authenticate again.

Thanks for reading. Kindly comment for any feedback and suggestions.

Leave a Reply

Your email address will not be published. Required fields are marked *