May 04, 2020

#SpringSecurity: What is the difference between access and refresh token?

Access Token
  • An access token is a string representing an authorization issued to the client. Tokens represent specific scopes and duration of access, granted by the resource owner, and enforced by the resource server and authorization server.
  • An access token is put in the Authorization header of our request and it usually looks like 'Bearer h090Yuuyuiyv'. It is verified by the API, which the client is calling.
  • Access token are usually in JWT format, but you can use any other format.
  • Access tokens are usually short lived, because it is difficult (although not impossible) to centrally revoke access tokens.
  • The responsibility of access token is to access data before it gets expired.
ALSO READWhat’s the difference OAuth 1.0 and OAuth 2.0?

Refresh Token
  • A refresh token is issued (along with access token) to the client by the authorization server. 
  • The responsibility of refresh token is to request for a new access token when the existing access token is expired.
  • We can also obtain additional access tokens with identical or narrower scope from the refresh tokens.
  • Issuing a refresh token is optional at the discretion of the authorization server.
  • Refresh token is long lived token.
  • Only clients that can safely secure refresh tokens, should use refresh tokens.
ALSO READ#SpringSecurity:Oauth 2.0 Roles

ID Token
  • ID token is the user’s identity.
  • Like access token it is also usually in JWT format, but doesn’t have to be. 
  • An ID token must not contain any authorization or any audience information, since it's job is to merely identify the user.
-K Himaanshu Shuklaa..

No comments:

Post a Comment