1

The way I understand Access Token and Refresh tokens is as follows:

  1. Authenticate to App
  2. Receive (short lived) access token and (longer living) refresh token
  3. requests resources from App with access token
  4. If Access token expired request new Access Token with Refresh Token.
  5. Refresh Token expires user must reauthenticate.

Lets imagine refresh token is valid for 30 days. On day 30 the user is in the middle of some business and his refresh token expires. Does he get automatically logged out? I haven't seen that happen...

So What is refreshing the refresh token without the user manually inputting credentials?

David
  • 55
  • 6

1 Answers1

1

Every time the application asks for a new Access Token (step 4 in your list), it can also be given a new Refresh Token, with an even later expiry.

Effectively, the life time of the Refresh Token is the maximum idle time of the user's session.

IMSoP
  • 89,526
  • 13
  • 117
  • 169