OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new access_token:
But the question is why do we have both? Why not just make the access_token last as long as the refresh_token and not have a refresh_token! isn't it?
But going through google and stackoverflow i found nice answer that actually reason to use Refresh Token is do with claims.
Each token contains claims which can include anything from the users name, their roles or the provider which created the claim.
As a token is refreshed these claims are updated.
If we refresh the tokens more often we are obviously putting more strain on our identity services however we are getting more accurate and up-to-date claims.
Want to know more on OAuth 2.0 then click hear What is OAuth 2.
No comments:
Post a Comment