Access Token and Refresh Token flow

4
votes

I have read about JWT and access token and refresh token. I understand that you have to set access token expiration in a very short time (minutes) and use refresh tokens to obtain a new access token whenever is expired.

Three things are not clear to me:

  1. Who checks access token for expiration? Is client checking that and requesting a new access code by sending expired access token along with refresh?
  2. Who checks refresh token for expiration? (obviously refresh token needs expiration as well although it takes longer to expire).
  3. From my point of view if a refresh token is expired, the user must be prompted to re-login. This is something that needs to be avoided in some scenarios (mobile apps). How can it be avoided?
1
securityauthenticationoauthjwtrefresh-token

1 Answers

4
votes

Answer your question:

  • The API use access token will return error when access token expired.
  • The API use refresh token to get a new access token will return specific refresh token related error.
  • About refreshing of the refresh token, please see the below answer.

Generally you need do some error handing for each API calling.

About refreshing of the refresh token

I investigate more, and this is what I found:

  1. first time login and authorized to get access token and refresh token(optional), if access token never expire refresh token is not necessary. => https://www.oauth.com/oauth2-servers/access-tokens/access-token-response/, recently(2019/11/16), I found this really depend on the implementation of the API providers, for example, PayPal, They provide access token with expired time but without refresh token, so when the access token expired, you have to get a new access token again.
  2. when access token expired, use the refresh token to get a new access token and refresh token(optional) => https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/. this time you have a new refresh token, which means you have a new refresh token every time you refresh a access token. if the response don't have a new fresh token, you only have the old refresh token from the first step.
  3. If user don't use the app for a long time, then user don't have chance to refresh the access token and refresh token, then user need to re login again after long time when refresh token expired.
  4. like @jwilleke said, even user do not use the apps, the server side or the apps can do it for the user automatically, then it will always have the new access token and refresh token.