Question

In OAuth 2.0, after an access token expires, what specific type of token allows a client to get a new access token without making the user log in again?

Accepted Answer

The specific type of token that allows a client to get a new access token without making the user log in again after an access token expires is a Refresh Token. A Refresh Token is a special, long-lived credential issued by the Authorization Server alongside an Access Token during the initial user authorization process. While an Access Token is a short-lived credential used by a client to access protected resources on behalf of the user at a Resource Server, a Refresh Token&#x27;s sole purpose is to be securely exchanged at the Authorization Server&#x27;s token endpoint to obtain a new, valid Access Token when the current one has expired. This process is called token refreshing. When a client application, such as a mobile app or a web application, detects that its current Access Token has become invalid (for example, by receiving an `invalid_token` error from a Resource Server), it sends the Refresh Token to the Authorization Server. This request specifies the `refresh_token` grant type. The Authorization Server then validates the Refresh Token; if it is valid and has not been revoked, the Authorization Server issues a new Access Token. In many implementations, a new Refresh Token is also issued simultaneously, a practice known as Refresh Token rotation, which enhances security. Since this exchange happens directly between the client and the Authorization Server, the end-user&#x27;s direct interaction, such as re-entering credentials or re-approving the application, is not required, thus providing a seamless experience. Refresh Tokens are highly sensitive and must be kept confidential by the client application, as their compromise could allow an attacker to perpetually obtain new Access Tokens. The Authorization Server maintains the ability to revoke Refresh Tokens at any time, for instance, if the user explicitly logs out of the application, changes their password, or if the Authorization Server detects suspicious activity, immediately invalidating any subsequent refresh attempts with that token.

Home → All Courses → Programming Courses → API Development & Integration Certification → Flashcard

In OAuth 2.0, after an access token expires, what specific type of token allows a client to get a new access token without making the user log in again?