What is the difference between an Access Token and a Refresh Token? (OAuth 2.0 and OpenID Connect)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
In OAuth 2.0 or OpenID Connect,   there's often talk of two different types of  tokens - an access token and a refresh token.  An access token is your standard token which  you get in exchange for an access token request,   typically requiring that the user authenticates   and in return a web service  will get an access token.  That access token is then  used as the way to access   various APIs either at the authorization server,  or at various backends, or even at third parties.  And that access token typically  has a limited lifetime.  It has a validity time from the  time of issue to the time of expiry,   and you can use it while it is still valid. The access token   expires at that time but it can also be revoked  earlier, so there's typically a revocation process   where the access token can be revoked, which  is typical in the event of a log out event,   or some other information change, or system  change where issued access tokens can be revoked.  The authorization server offers an endpoint where  that access token can always be checked - is it   still valid? - and endpoints for finding  out more information about the user,   typically called the user information  endpoint or the token introspection endpoint.  The other token which comes up  is called the refresh token.  And the refresh token is all about having a way  that the user doesn't always have to interactively   sign in. Instead they can sign in once   and issue a refresh token to a web service,  which allows that web service to request   access tokens on behalf of the user  without the user being present.  So the way it works is that you ask the user   to sign into the application and you  request along with that the refresh token.  That refresh token is then saved in  the user account of the application   for next time when the application needs  to access an API on behalf of the user.  So it may be a batch call in the middle of the  night when the user is no longer on the website.  Or it might be a time when the user opens  an app on their mobile phone the next day   and wants to access API data without  having to sign in again interactively.  So in this flow, you exchange the refresh  token for an access token. And it's a request   done by the connecting application where  they send the refresh token and request   in response a fresh access token.  And then all of the flows are similar   that they use the same access token. Together with that refresh token request,   typically a new refresh token is issued so that  the next request will use a new refresh token.
Info
Channel: Ubisecure
Views: 2,199
Rating: undefined out of 5
Keywords: access token, refresh token, difference between access token and refresh token, what is the difference between access token and refresh token, openid connect, oauth, identity tokens
Id: PX90GNc7xo8
Channel Id: undefined
Length: 3min 19sec (199 seconds)
Published: Tue Jul 06 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.