Reputation: 38985
what is the workflow when refresh token expired or invalid
I am using auth 2.0 to design an api(Resource Owner Password Credentials Model), now I was wonder if the refresh token expired or invalid, what should the client do? the client redirect to the login page or just invoke the get refresh token api with appId&appSecret and refresh token silently?
Upvotes: 0
Views: 1945
Answers (2)
Reputation: 138
This is a list of points that you must take in concideration before designing your api:
The resource owner password credentials :
- All what clients need is to send the client_id/client_secret with the username/password/scopes to the endpoint /token of the identiy provider (IDP) to get a token;
- This type of grant is used for the server to server connection;
- It should not be used in the case of user authentication or to authenticate a web applications;
- If the token is expired the client must refresh the token to get new access_token, by using the same endpoint /token with the refresh_token got from the previous call in params to the IDP
If your IDP accept the refresh token you need to send a request with thoses parametres:
curl --request POST \
--url 'https://YOUR_DOMAIN/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=refresh_token \
--data 'client_id=YOUR_CLIENT_ID' \
--data refresh_token=YOUR_REFRESH_TOKEN
If not you can do a request to renew the token like the first time.
Now for your question the refresh token will never be expire if the flow is correctly implemented and this is how it work:
- First the client submit for an access_token and in the response he got the access_token and refresh_token;
- Before the access_token is expired the client need to make a request with refresh_token to get a new access_token; and in the response we have also new refresh_token, so the client need to update refresh_token with the latest one;
Upvotes: 1
Reputation: 2755
In case refresh token expired, the fresh flow should be initiated where resouce owner will provide their credentials details to the client. Also, this grant type should only be used where resouce owner has a highly trust relationship with the client, obviously owner is sharing their credentials with the client.
Upvotes: 1
Related Questions
- what should I do when the client request to refresh the valid access token
- Safely storing refresh tokens in Java application
- Create refresh and access token jwt using java
- Spring Oauth2 Client, automatically refresh expired access_token
- How to properly handle a JWT refresh?
- Oauth 2.0 refresh token expiration
- how to refresh or revoke OAuth2.0 access/refresh_token, when no refresh token available?
- Spring Security Oauth2: Flow to Handling Expired AccessToken
- Spring OAuth2 Refresh token
- Oauth refresh token salesforce process simplification