Refresh Token

  • Issued to the Client by the Authorization Server

    • Client doesn't know or care what's inside the refresh token.

  • Token is never sent to the protected resource (unlike the access token).

    • Client uses the fresh token to request new access tokens without involving the resource owner.

  • Takes the place of a long-lived token (as access tokens can expire and the resource owner may no longer be there).

    • Only used to get new access tokens.

  • Refresh tokens also give the Client the ability to down-scope its access.

    • Scenario: Client is granted scopes A, B, and C.

      • Client only needs Scope A to make a particular call, and as such it can use the refresh token to request an access token for only Scope A

        • This allows the Client to follow the principle of least privilege.

PreviousComponentsNextScope

Last updated