Token

Protocol like OAuth2.0 uses tokens instead of credentials to authenticate and provide access to sensitive resources.

OAuth has two tokens:

• Access and Refresh tokens.
• These tokens are mostly implemented as JWT (JSON web tokens).

Access Token

Access token is what grants the access to the system.

Access token is a short-lived token that identifies the user.

• typically expires in 15-60 minutes.

When access token expires, server needs/checks the refresh token to issue a new access token.

Access token is stored only in the client and in memory.

Access token is validated on the server side on every authorized call and inspected if the caller has permissions to perform the given action.

Refresh token

A refresh token is a long-lived one-time-use token.

• Valid for longer like 90 days.

When a refresh token is valid, the response should set a fresh access token and context values of logged in user.

When both refresh and access tokens are expired, log the user out and require fresh authentication.

Refresh token is persistently store on the server.

• It is used to validate the one sent from the client.

Refresh token is also stored on the client as a HTTP-only secure cookie (if web).

Once used, the token should be invalidated and replaced with the newly generated one.