#6. OAuth 2.0 Flow – Role Of Refresh Token in OAuth 2.0 Flow


A refresh token is a credential that is used to generate a new access token. I have already explained about Refresh Token in the previous post. In this post, we will learn when and how a Refresh token is used in OAuth 2.0 flow.

YouTube Playlist on OAuth 2.0

Do not forget to subscribe to my channel to support.

OAuth 2.0 Flow With Refresh Token

Image source – https://www.rfc-editor.org/rfc/rfc6749#section-1.5

Before you know more about the role of the refresh token in the OAuth 2.0 flow, you must be aware of OAuth 2.0 flow. Do not worry if you are not aware. Click on the below link to learn about OAuth 2.0 flow –

#1. OAuth 2.0 Flow – How Does It Work?

A Client requests authorization from the resource owner and receives an Authorization grant after successful authentication by the resource owner. This is shown as combined in Step A above.

The client presents the received Authorization grant to the Authorization server and requests for the Access token. The Authorization server verifies the client and authorization grant and issues the access token and refresh token to the client on successful validation. This is shown in Step B in the above flow diagram.

Now the client requests the resource server to provide access to the protected resources of the resource owner by presenting the received access token. The resource server validates the provided access token and provides protected resources for the resource owner. This is shown in Steps C and D.

So the client needs to present an access token to the resource server every time they request the protected resource. An access token has a lifespan and is expired after some fixed time. When the resource server finds that the presented access token is expired then the resource server returns the invalid token error and does not provide access to the protected resource. This is shown in Steps E and F.

At this stage, the client needs to obtain a new Access token. Now the refresh token comes into the picture. The client presents the received Refresh token to the authorization server. The authorization server authenticates the client and validates the refresh token. On successful validation, a new access token is provided to the client. Optionally a new refresh token can also be provided. In this case, the old refresh token will be expired and the client needs to use a new refresh token to generate a new access token once expired. This is shown in Steps G and H.

Thanks for reading. Kindly comment for any feedback and suggestions.

Leave a Reply

Your email address will not be published. Required fields are marked *