OAuth 2.0 - Refresh Token

Excellent explanation

Thank you.

why do we need refresh token? if basically refresh token can be exchanged for access token, why don't we just make the access token to lives longer?

some people say that longer lives of access token is not recommended because when the token is stolen and it is still active, the attacker can use the token (and therefore we shortened the access token lifetime).

but refresh token can also be stolen right 🤷‍♂?

Amazing video Sascha! Very crisp explanation. Thank you!

thanks Sascha, very clearly explained!

Awesome videos. Can you contrast OAuth vs OpenIDConnect

Can u please tell me how can I get try refresh token ???

Refresh token goes invalid after 7 days. Do you have any suggestions to get new refresh token or access token without re Authorization?

Is kong entirely responsible to take care of refreshing the access token when the refresh token has not expired if yes then how? or do we need to hit some apis from our end to ask for new access token from the Kong

If the user is using the client app and for some reason he keeps the laptop on sleep mode keeping the tab open on the browser so now when the user is back online does the user needs to authorize again by logging in or the user can continue accessing it smoothly without any hassle of logging in again into the application

you are gem. your description is awesome.really appreaciate

Thank you very much for this informative video! -

What is the use of fixed lifetime? Why not using the original access token instead, or do I misunderstand the principle of the access (and refresh) token?

Suppose expire time of refresh token is 1 month and someone can close the app and open the app after 2 month so in that case both token expired so what are the way to handle that situations?

thanks for the video.
I would like to share my understanding of your video and many online resources of why we can't just use access token as refresh token ?
There is scalability reason and there is a security reason.
Scalability reason: access token can be verified by resource server without DB lookup or central server (just need place to get the public key) usually good for 1 hour, can be used with any resource server, highlight third party resource server could have log leaks, weak security etc.. this not the authorization-server

The security reason: refresh_token is only ever exchanged with authorization server which is one issuing authorization and more secure, refresh-token can live forever but access token canno't that's why we must have 2.

This mitigates the risk of a long-lived access_token leaking, making access token good-til-revoked without refresh token

Great explanation. I got a better understanding of auth from this content.

I dont understand the point of refresh tokens from a security standpoint though.

If the original exchange is intercepted (say via a MitM)- the attacker has both tokens.

If the access token is intercepted by a MitM later, cant the attacker return an 'expired' response, forcing the user to send the refresh token, so its moot anyway?

In what situation does a refresh token enhance security against a skilled attacker?

In the sliding window implementation of refresh tokens, is it necessary to "authenticate" every time before generating the refresh token ? How can this be automated to generate the refresh token as that the end user experience is seamless?

sending refresh token with each resource request invalidates the idea of refresh token .. refresh token shouldn’t be used a lot

I have a message "Expired token" when trying to clear the cart and when I try to add items to the cart. After I redeploy the website it works fine for couple of days, and then crashes with that message. What's the solution? Do I need to add JWT to my project?