Preserving OAuth 2.0 Token on Browser Refresh

Question

Implementing a web-site that talks to an OAuth 2.0 server. User signs-in, gets the bearer token and all is good until he refreshes the page and the bearer token is lost.

To prevent having my user sign-in again, I was thinking of using the refresh token and request a new bearer token from the server. This means that I have to cache the refresh token locally.

Is this frowned upon? How do people store the bearer token on page refresh?

Answer 1

The usual way to store the Bearer token is in a session cookie, so that the token is not lost unless the user closes the browser. This is the usual way to do it, but you can store it wherever you want, for example in HTML5 storage. It will be useful until it expires. However, it's important to include the token in the request (usually in the Authorization header) so you'll have to recover it from wherever it is stored.

The refresh token is not there for asking for a new token, but to renew it before it expires. For example, if the token is configured to expire in one hour you can use the refresh token to renew it within that hour. If your token expires, the refresh token can no longer be used.

Answer 2

Refresh Token suppose to be in use upon access-token expiration.

It appears that when the user refreshes the browser, the session is "dead", hence authentication is lost. Did you check it on different browsers? Can you check that the "session" is there after refresh? (in chrome it is easy to check). Are you using Spring? Technically, I think you have to configure your application to use sessions...