How do I handle OAuth refresh token?

Question

When I authorize on my OAuth server it returns me access / refresh tokens:

access_token: "ZjJlMGM2MDcxNDg5MDQ1NzA4ZjkyNzRiOTIwM2E5MWI4N2M0MWU0ZD..."
expires_in: 3600
refresh_token: "NWZjMzQ3YjNjMmY5YTEzYzMxMDYzNGVhNzRiNjAxZTdmZTdjNzE3z..."
scope: null
token_type: "bearer"

How do I use them in my client side javascript application?

Is it okay to save access token and refresh token in the cookies? (is it safe? - but anyway I dont see any other place where I can store them...)
I can request protected resources like this: /api/user?access_token=TOKEN . And when I access them I really get my protected data successful. But what will happen when this access token expired? Will it be automatically refreshed, or do I need to handle it manually?
Why do I need refresh token and when I should send it to the server?

@Victor, I use javascript SPA, so only cookies are available. (?) — pleerock, Feb 04 '14 at 05:27
But as I know with SPA `session` also avaliable, if you use AJAX requests to server — Victor Bocharsky, Feb 04 '14 at 09:43

score 1 · Accepted Answer · answered Feb 04 '14 at 00:49

three-legged ( User---client ---- Oauthserver)

1)In 3 legged authentication access Token is stored at the client side and is never transferred to the user.

two legged (user ----Oauthserver)

In 2 legged authentication the token is stored at the user side. Probably in the cookie.

2)When the token expires user explicitly has to use the refresh token to get a new auth token.

3) Each Auth token has an expiry and instead of reauthenticating itself with a username/password,User can present refresh Token to get a new valid Auth token.

How do I handle OAuth refresh token?

1 Answers1