OAuth2 purpose of refresh token with authorization code

3
votes

I think I get the flow of OAuth2 using the Authorization Code grant type. The resource owner logs into a server, then gets redirected to the client with an authorization code. The client then uses the authorization code to query the authorization server for an access token and refresh token. This is where I get confused.

When the access token expires, should the client use the authorization code or refresh token to get a new access token? Why would you want a refresh token if you have an authorization code?

Note I am not looking for an answer saying "The refresh token is optional" because I am writing this server for, amazon-alexa, a service that requires refresh tokens AND the authorization code grant type.

1
oauth-2.0

1 Answers

1
votes

If the oauth2 server was written according to the security guidelines for authoriaztion codes RFC 6749 Section 10.5, you couldn't reuse it to obtain a second access_token.

Authorization codes MUST be short lived and single-use. If the authorization server observes multiple attempts to exchange an authorization code for an access token, the authorization server SHOULD attempt to revoke all access tokens already granted based on the compromised authorization code.

The refresh_token, if granted, can be exchanged for another access_token and new refresh_token using the refresh_token grant. The user doesn't have to reauthenticate if the refresh_token is still valid in that case.