Tuesday, September 23, 2014

OAuth2.0 refresh token and access token

When we implement OAuth2, we have access token and refresh token. Why do we need both refresh token and access token? Using plain English, below are reasons in simplified version.

  • For security reason, OAuth2 has both refresh token and access token. access token is something close to one-time password, which is ideally secure. access token may be expired shortly. Refresh token may last for long time and even will not expire until it will be revoked. 

  • For performance and scalability reason, it better to verify HTTP request on the resource server instead of on central authorization server for every HTTP request.

  • Basically, access_token is kind of temporary password and refresh_token is pass to get temporary password from central authentication server. "temporary" password, access_token, is verified on resource server.

    No comments:

    Post a Comment