Refresh token in Oauth2.0

Question

I am making an OAuth 2.0 request and it is returning me JSON with refresh_token and access_token, why are there are 2 in OAuth2.0?

• Which one is short lived?
• What is the purpose of both?

I read this question on SO but that didn'e helped me much, Any help in this regard will be appreciated Thanks

Answer 1

The access token is what you will use to authenticate your service requests. It generally contains details about the user or is directly mapped to the permissions about the user and the permissions that he has granted.
These tokens are short lived - something like one hour, the actual duration differs per provider.

The refresh tokens on the other hand are used to get a new access token when the one that you have expires. They have a much longer (sometime infinite, until explicitly revoked) lifetime.

Now, let's consider an end to end scenario. Let's say you create an app that does Facebook actions on a user's behalf - post on their timeline etc.

• Your app redirects the user to log in to Facebook - you use Facebook SDK for this.
• When the user successfully logs in and gives you the required permissions (post on timeline) you get an access token and a refresh token.
• Your app can now hit the Facebook API to post on the user's timeline on his behalf with the access token. This token can be used for one hour (or whatever time the access token is valid)
• Once the token is about to expire, you can hit a Facebook API to refresh the access token, as this one is about to expire. So, you call into the API with refresh + access tokens.
• The API returns a new access token to you - you can use this now till it expires.

PS - This is not how it happens for Facebook actually. This was just a random example to explain how refresh and access tokens differ.

If this makes sense, go back to the question that you have linked. It has some really good answers. :)