This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

RefreshToken vs GenerateToken

Posted on 04-02-2018 11:34 PM
Not applicable
Reply posted on --/--/---- --:-- AM

Can someone please explain what is the purpose of RefreshToken in OAuth2: what is the benefit of using it instead of generating new token every time when previous token has expired?

Solved Solved
0 1 230
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

I don't have a definitive answer for you.

But take heart, your question is a common one.

Here's a relevant Stackoverflow thread: https://stackoverflow.com/a/7209263/48082

The theory is that access tokens are more susceptible to loss and compromise, while refresh tokens are more secure, requiring the client id and secret.

In some cases, people are relying on self-signed JWT for token requests, and there is no refresh token flow. Something like RFC7523 or variations on that idea. You can do that kind of thing in Apigee Edge building upon the VerifyJWT policy.

Which is appropriate for you is a complex question - it depends on your clients and the developers that write the code for the clients. Many variables to consider.

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

I don't have a definitive answer for you.

But take heart, your question is a common one.

Here's a relevant Stackoverflow thread: https://stackoverflow.com/a/7209263/48082

The theory is that access tokens are more susceptible to loss and compromise, while refresh tokens are more secure, requiring the client id and secret.

In some cases, people are relying on self-signed JWT for token requests, and there is no refresh token flow. Something like RFC7523 or variations on that idea. You can do that kind of thing in Apigee Edge building upon the VerifyJWT policy.

Which is appropriate for you is a complex question - it depends on your clients and the developers that write the code for the clients. Many variables to consider.

Jump to Solution
0 Likes