Why is refresh token needed when you have access token?
Access tokens are usually short-lived and refresh tokens are used to get new access tokens. If servers provide long living access tokens there is no way to make the client stop using the token if the user / session is invalidated for any reason. With refresh token, the server can validate the user / session every time an access token is generated using a refresh token.
This may lead to another question. Why use refresh token at all? Why don’t you only use a small lived access token? Answer is that it allows you to keep logged in without having to authrnticate yourself explicitely with the OAuth provider providing your user credentials.
List various OAuth Grant Types
- Authorization code grant
- Most common
- Implicit grant
- Used mostly for mobile and single page web apps.
- Client credentials grant
- Used mostly for system-to-system access.
What are the acess token and refresh token expiry times for popular OAuth providers?