Reputation: 351
In OAuth2, why not always use the refresh token?
In OAuth2, to my understanding there is an accessToken - which expires after a relatively short time frame, and a refreshToken - which is used to generate a new accessToken.
My question is, why should I ever go through the trouble of checking whether the accessToken is valid or catching specific token expiry errors, instead of just getting a new accessToken every time with my refreshToken? Are there any downsides to this approach?
Upvotes: 1
Views: 54
Answers (1)
Reputation: 3001
It is technically feasible but creates unnecessary requests to the OAuth server. You can instead do error handling for expired tokens and attempts to retrieve a access token using the refresh token if the you get a expiry error.
That way you do not need to call you Oauth server everytime (saves one request) and call the resource server only. Call the Oauth server only the first time and in case of expiry
Upvotes: 1
Related Questions
- What's the point of refresh token?
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Oauth2 refresh_token confusion
- Why refresh token has to be replaced when used?
- Why use JWT refresh token
- OAuth2: Update refresh token along with the access token or not?
- Oauth 2: why refresh tokens must be stateful?
- Why don't APIs use access token instead of refresh token?
- Why not send access and refresh tokens simultaneously (OAuth2)?
- OAuth2 - unnecessary complexity with refresh token