Have you heard of the tokens? If yes, it’s good to know and if not, don’t worry, we will learn why we use a token and why it’s very important in the authentication process. In this blog, we’ll learn more about refresh tokens.
What is Token?
Token is a secure way for transmission of information between a sender and a receiver that is represented in JSON format through a URL, a POST parameter, or inside the HTTP Header. It is typically used for implementing authentication and authorization in Web applications.
Types of token
There are many types of token, although in authentication typicals are access token and refresh token.
- Access Token : It contains all the information that the server needs to know whether the user/device can access the resource you ask for or not. These are usually tokens that have expired and have a short validity period.
- Refresh Token : The refresh token is for the purpose of generating a new access token. In general, if the access token has an expiry date, once it expires, the user must authenticate again to get an access token. A refresh token allows you to skip this step and get a new access token using a request to the API. Users can use it to access application resources.
Now, we will briefly discuss refresh token, its working flow, why we need it & their difference. So, Fasten your seat belts, you are now on a roller coaster ride to eagerly know about refresh tokens.
What is a Refresh Token?
A refresh token simply helps you re-validate a user without having to re-enter their login information several times. Credentials that can be used to obtain new access tokens are known as refresh tokens. When access tokens expire, we can simply request access tokens from the authentication server using refresh tokens.
A hacker may steal and misuse our access token if we use it for an extended period of time. In fact, using the access token for an extended period of time is not advised. Now, we are going to introduce the refresh token workflow.
Working Flow of Refresh Tokens
Step – 1 Initially, the client authenticates with the authentication server by providing the credentials.
Step – 2 Then, the authentication server processes the access token and the refresh token.
Step – 3 After that, the client requests the resource server for a protected resource by providing the access token.
Step – 4 The resource server validates the access token and provides a protected resource.
Step – 5 Steps 3 & 4 keep on repeating until the access token expires.
Step – 6 When the access token expires, the client requests a new access token with the refresh token.
Step – 7 The authentication server delivers a new access token and a refresh token.
Step – 8 Steps 3-7 will continue until the refresh token expires.
Step – 9 After the refresh token expires, the client must re-authenticate with the authentication server and the stream repeats from Step 1.
Why do we actually need refresh tokens?
The lifespan of an access token is going to be short. As a result, even the access token used by a hacker has access to it only for a short period of time. A refresh token and an access token will be issued from the login request. Each time the access token expires, we can get another access token using the refresh token.The main purpose of using a refresh token is to considerably shorten the life of an access token.
Each time the user logs into the application using valid identifiers, we will update the refresh token and token expiry time in the user table in the identity database. After the access token expires, if the user again attempts to obtain a secure resource from the application, they will launch 401 unauthorized errors.
Then, the user can try refreshing the token with the existing access token and refresh token. In the refresh method, the application will confirm the expired token and refresh token. If both are valid, the app will issue a new access token and update the token to the user. The corresponding user may use this new token to access secure resources within the app.
In case something goes wrong, the refresh token can be revoked, which means that when the application tries to use it to get a new access token, that request will be refused and the user will have to re-enter their credentials and authenticate.
Difference between Refresh token and Access token
Credentials that can be used to obtain new access tokens are known as refresh tokens.
- A refresh token has a significantly longer lifetime than an access token.
- Refresh tokens can also expire, but they are very long-lived.
- When existing access tokens expire or become invalid, the authorization server provides refresh tokens to the client for a new access token.
A string that identifies a user, an application, or a page is known as an access token. The token contains information such as the expiry date of the token and the application that created the token.
- Credential that a client uses to obtain new access tokens without requiring additional permission from the user.
- The access token is then requested by the client to the authorization server.
In this blog we have learned the basics of Refresh Tokens, its importance, and the authentication server issues a one-time use refresh token along with the access token. Refreshing tokens can also help simplify your authentication process for users while protecting your valuable resources from attackers. They improve user experience in a considerable manner as many web development experts focus on the primary motive of increasing there user experience and impacting the engagement quality.