question

Tony Valenti avatar image
Tony Valenti asked ·

Refresh Tokens - Are they supposed to change?

When calling Refresh(RefreshToken) I expect that a new access token is provided but it looks like a whole new refresh token is being provided too. Is that intentional?

authorizationauthenticationrefresh access token
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Anirban Sen Chowdhary avatar image
Anirban Sen Chowdhary answered ·

Yes, if you generate an access token from a refresh token in exchange the refresh token get expired so that no more access token can be generated from that same refresh token.

However, it can be used as long as the access token remains active and get expired once a new access token gets generated.

3 comments Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

This is incorrect!

0 Likes 0 · ·

What is the incorrect thing in this @Phong Vu? If you use a refresh token to generate a new access token, that refresh token get expired. It will generate a new refresh token valid again for 7 days along with access token valid again for 3600 seconds. I am not sure if this is incorrect

0 Likes 0 · ·
Phong Vu avatar image Phong Vu ♦♦ Anirban Sen Chowdhary ·

My bad about the incorrect message. I got what he asked and you meant now. However, using the word "a refresh token get expired" after refreshing a token is mixing with the situation where the refresh token is expired. The correct statement is that after refreshing an access token, the old refresh token is revoked and a new refresh token with max expiration time is issued.

0 Likes 0 · ·
Tony Valenti avatar image
Tony Valenti answered ·

@Anirban Sen Chowdhary -

Is there a type of refresh token that is persistent? One that won't change every time?

I'm trying to avoid concurrent uses of our app stepping on each other's toes when it comes to the refresh token.

1 comment Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

The answer is no. If your are using password flow and want to share the access token between all users, you have to manage the token refresh process in a way that other users will have access to the latest tokens.

If you are using 3-legged authorization, each user's login will have its own access and refresh tokens.

0 Likes 0 · ·
Phong Vu avatar image
Phong Vu answered ·

Every time you use a valid/unexpired refresh token to exchange for a new access token, you will get a new access token and a new refresh token. The new access token will be valid again for 3600 seconds and the new refresh token will be valid again for 7 days. This helps you avoid re-login as long as you handle this well and your refresh token is not expired.

Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Tony Valenti avatar image
Tony Valenti answered ·

@Phong Vu is there a way to get a new access token without refreshing the refresh token?

1 comment Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

I already answered above.

The answer is no. If your are using password flow and want to share the access token between all users, you have to manage the token refresh process in a way that other users will have access to the latest tokens.

If you are using 3-legged authorization, each user's login will have its own access and refresh tokens.

0 Likes 0 · ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.