Refresh Token
Issued to the Client by the Authorization Server
Client doesn't know or care what's inside the refresh token.
Token is never sent to the protected resource (unlike the access token).
Client uses the fresh token to request new access tokens without involving the resource owner.
Takes the place of a long-lived token (as access tokens can expire and the resource owner may no longer be there).
Only used to get new access tokens.
Refresh tokens also give the Client the ability to down-scope its access.
Scenario: Client is granted scopes A, B, and C.
Client only needs Scope A to make a particular call, and as such it can use the refresh token to request an access token for only Scope A
This allows the Client to follow the principle of least privilege.
Last updated