Why does OAuth need refresh token in addition to access token?


What is the purpose of a “Refresh Token”?

Question: I have a program that integrates with the YouTube live streaming API. I use the refresh token every 50 minutes to obtain a new access token. My question is, why does OAuth design dual tokens?

When I authenticate with youtube, it gives me a refresh token. Then I use this refresh token to get a new access token about every hour. If I have a refresh token, I can always use it to get a new access token because it will never expire. So I don’t think it’s more secure than giving me an access token from the beginning.


Simply put, the refresh token is used to obtain a new access token.

To clearly distinguish the two tokens and avoid confusion, the following isOAuth 2.0 authorization frameworkFunctions given in:

  • The access token is issued by the authorization server to the third-party client with the approval of the resource owner. Clients use access tokens to access protected resources hosted by the resource server. The refresh token is the credential used to obtain the access token.

  • The refresh token is issued by the authorization server to the client to obtain a new access token when the current access token expires or expires, or to obtain an additional access token with the same or narrower range.

For security reasons, refresh_ Token is only exchanged with the authorization server, and access_ The token is exchanged with the resource server. This reduces the long-standing access between “the access token is valid for one hour, the refresh token is valid for one year or is valid before revocation” and “the access token is valid until revocation without refreshing”_ The risk of token leakage.

The refresh token has at least two purposes. First, the refresh token is a “proof” that the oauth2 client has obtained permission to access its data from the user, so it can request a new access token again without the user going through the entire oauth2 process. Second, compared with long-term access token, it helps to increase the overall security process.

Refresh token as a way not to affect the user experience

Let’s talk about the first purpose with an example. Suppose you are a user using a third-party client web application that wants to interact with your YouTube account data. Once you have granted the client application permission to use your YouTube data, do you want the client application to prompt you again for permission when its YouTube token expires? What happens if the YouTube token expires for a very short time (for example, 5 minutes)?

If the client application prompts you for permission at least every 5 minutes, it will be a bit annoying! The solution proposed by oauth2 to this “problem” is to refresh the token. By using the refresh token, the access token can maintain a short life cycle (which is desirable if the access token is leaked or stolen in some way), and the refresh token can maintain a long (longer) life cycle, thus allowing the client to obtain a new access right license without the user’s re permission when it expires.

But why refresh the token? If the focus is not to allow users to use permission requests, why can’t the client simply say, “Hey, authorization server, I want another access token. Instead,” Hey, authorization server, this is my expired token, give me a new one! “. The refresh token is used as a “proof” to prove that the client is granted access by the user at a certain original point in time. This “proof” takes the form of a refresh token digitally signed by the authorization server. By providing a refresh token to the client, the authorization server can verify that the client has received the user’s permission at a certain time in the past, and the client does not need to prompt the user again.

Refresh token as a means to improve security

However, this raises a question, “well, what happens if the refresh token is leaked or stolen, or is simply retained by a malicious client application without being deleted at the user’s request? Can an attacker continue to use the refresh token to obtain a valid access token indefinitely (or until it expires)? This question leads to the discussion of the second purpose I mentioned. Refreshing the token helps to a more secure process.

The problem with access tokens is that once they are obtained, they are only presented to resource servers (such as YouTube). Therefore, if the access token is stolen or leaked, how can you tell the resource server not to trust the token? Well, you really can’t. The only way is to change the private signing key on the authorization server (the key that first signs the token).

On the other hand, the refresh token needs to be submitted to the authorization server frequently. Therefore, if a token is compromised, it is insignificant to revoke or reject the entire refresh token without changing any signature key.