Reputation: 55
I am making an OAuth 2.0 request and it is returning me JSON with refresh_token and access_token
, why are there are 2 in OAuth2.0?
I read this question on SO but that didn'e helped me much, Any help in this regard will be appreciated Thanks
Upvotes: 1
Views: 238
Reputation: 6810
The access token
is what you will use to authenticate your service requests. It generally contains details about the user or is directly mapped to the permissions about the user and the permissions that he has granted.
These tokens are short lived - something like one hour, the actual duration differs per provider.
The refresh tokens
on the other hand are used to get a new access token when the one that you have expires. They have a much longer (sometime infinite, until explicitly revoked) lifetime.
Now, let's consider an end to end scenario. Let's say you create an app that does Facebook actions on a user's behalf - post on their timeline etc.
refresh + access tokens
.PS - This is not how it happens for Facebook actually. This was just a random example to explain how refresh and access tokens differ.
If this makes sense, go back to the question that you have linked. It has some really good answers. :)
Upvotes: 1