Reputation: 138
OAuth2: Update refresh token along with the access token or not?
When it comes to update the access token of a client with OAuth2 the client might have a refresh token for that matter, here is where I see some disagreement:
Should you update the refresh token and invalidate the old one with every access token update request or should you keep sending the same refresh token and if so, when do we change it? do we change it at all?
Upvotes: 2
Views: 871
Answers (1)
Reputation: 13059
It will depends on the authorization server that you are using. From OAuth 2.0 specification point of view, sending a new refresh token in token refresh response is optional.
From section 1.5 of OAuth 2.0 specification
The authorization server authenticates the client and validates the refresh token, and if valid, issues a new access token (and, optionally, a new refresh token).
So it will depend on the exact implementation. Specific details should be included in your authorization server's documentation.
Also, one thing to note is that it is advisable to code in a way that even refresh token can expire after some time. Refer what Google say about their token expiration. Tokens can expire when they were not used for a long time or when a user revoke tokens issued on-behalf of him/her. This will be the case even when refresh tokens do not get updated in token refresh response.
Upvotes: 4
Related Questions
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Should access tokens be refreshed automatically or manually?
- When to refresh the access token
- OAuth2: Should a refresh token be invalidated after receiving a new access token?
- is refresh the refresh token and refresh the access token pass the same parameter
- Oauth2 refresh_token confusion
- Should we wait till the access token expire before we get refresh token?
- OAuth Client Credentials Reissue Access Token vs. Refresh Token
- Proper paradigm for refreshing OAuth2 access token
- In OAuth2, why not always use the refresh token?