top of page

OAuth 2.0 | Access & Refresh Tokens

Assuming we already know what is OAuth or have gone through last article: , it's time to further deep dive into OAuth. Before proceeding further, a small clarification, wherever referred OAuth means we're referring to OAuth 2.0. Time to refresh last article's image below -

OAuth works on the concept of Access & Refresh Tokens. As OAuth is an authorisation protocol, an access token contains the authorisation information to access resources on behalf of end user. In other words, if we're giving access token to an application, we're authorising that application to access the resources. The client application can use that token in further API calls. As soon as server sees token in the request, it understands the authorisation has already been granted to the client and thus allows the request to proceed further. (Of course, after validating the token)

The OAuth standard doesn't specify any particular format for access tokens. However, JWT (pronounced 'jot') - JSON Web Token is the most commonly used format.

Next comes another important part - when does the access token expire and how to get a new token?

Usually, every access token has an expiration timestamp. When the token expires, the client can use refresh token to get a new access token from the server without having to ask the user to re-login. The lifespan of access tokens are usually short whereas refresh tokens have longer lifespans which may be days, months or years.

Thus, refresh tokens are powerful and need to be made sure they are secured well and can be revoked. Otherwise, if went into the hands of any malicious user, it can really compromise on the application security.

I hope, the purpose, usage, difference, importance of both the tokens are clear now. Before we sign off for today, let's see a diagram below.

As mentioned in last article, there is a lot more to understand, but the curiosity should remain, hence we will deep dive further onto this with subsequent articles.

Till then, Happy Learning! Do connect or follow me at LinkedIn, subscribe at YouTube/Facebook/Twitter!

bottom of page