- An access token is a string representing an authorization issued to the client. Tokens represent specific scopes and duration of access, granted by the resource owner, and enforced by the resource server and authorization server.
- An access token is put in the Authorization header of our request and it usually looks like 'Bearer h090Yuuyuiyv'. It is verified by the API, which the client is calling.
- Access token are usually in JWT format, but you can use any other format.
- Access tokens are usually short lived, because it is difficult (although not impossible) to centrally revoke access tokens.
- The responsibility of access token is to access data before it gets expired.
Refresh Token
- A refresh token is issued (along with access token) to the client by the authorization server.
- The responsibility of refresh token is to request for a new access token when the existing access token is expired.
- We can also obtain additional access tokens with identical or narrower scope from the refresh tokens.
- Issuing a refresh token is optional at the discretion of the authorization server.
- Refresh token is long lived token.
- Only clients that can safely secure refresh tokens, should use refresh tokens.
ID Token
- ID token is the user’s identity.
- Like access token it is also usually in JWT format, but doesn’t have to be.
- An ID token must not contain any authorization or any audience information, since it's job is to merely identify the user.
No comments:
Post a Comment