OAuth 2.0 - Refresh Token

preview_player
Показать описание
This video explains the main use case for refresh_token. In also touches on user session management in the context of OAuth.
The video is too short to explain all aspects but the viewer should get a good idea how these token work and what effect different types of expirations have.

To find more information checkout these web sites and RFCs
- RFC 6749 (OAuth 2.0)
- RFC 7009 (Revocation)

You can also check my book "API Development - A Practical Guide for Business Implementation Success" which is available via Apress or Amazon for a broader picture on api development.

If this video was helpful to you, please consider buying me a coffee:
  1. Sascha Preibisch
  2. oauth
  3. refresh_token
  4. revocation
Рекомендации по теме
OAuth 2 Explained 0:04:32

OAuth 2 Explained In Simple Terms

Automatically Refresh OAuth2.0 0:03:31

Automatically Refresh OAuth2.0 Access Tokens | Postman Level Up

What are Refresh 0:19:29

What are Refresh Tokens?! and...How to Use Them Securely

OAuth 2.0 explained 0:10:03

OAuth 2.0 explained with examples

OAuth2.0 Authentication in 0:22:10

OAuth2.0 Authentication in ServiceNow | Inbound Integration with OAuth token

#6. OAuth 2.0 0:04:43

#6. OAuth 2.0 | Generate New Access Token Using Refresh Token For Google API|

Why Refresh Token? 0:02:15

Why Refresh Token? - 2 min. OAuth #4

ID Tokens VS 0:08:38

ID Tokens VS Access Tokens: What's the Difference?

Google API - 0:02:52

Google API - Get Access Token and Refresh Token

OAuth 2.0 access 0:03:07

OAuth 2.0 access tokens explained

OAuth 2. Refresh 0:08:26

OAuth 2. Refresh Token explained

Getting refreshToken : 0:01:14

Getting refreshToken : OAuth 2.0 playground

02. OAuth2.0 Refresh 0:05:33

02. OAuth2.0 Refresh token with Token Binding

Smart Google Calendar 0:00:33

Smart Google Calendar - OAuth2.0 refresh token

OAuth 2.0 Refresh 1:49:45

OAuth 2.0 Refresh & Access Token Setup with PKCE Flow | Spring Boot Security Tutorial

What is the 0:03:19

What is the difference between Access Tokens & Refresh Tokens? OAuth 2.0 & OIDC (OpenID Conn...

11.96 Refresh 0:07:30

11.96 Refresh token grant type flow in OAUTH2

How To Use 0:55:27

How To Use The Google OAuth2.0 Refresh Token For Offline Access - UWP C# Programming Tutorial

How to Fix 0:04:02

How to Fix Invalid Grant and Expiring Refresh Token Errors for Google OAuth

How to OAuth 0:08:54

How to OAuth 2.0 Authorization with Postman | Generate Google Access Token in Postman | Step By Step

Refresh Token Flow 0:05:46

Refresh Token Flow - OAuth2.0&OpenID_8

How to create 0:00:28

How to create Google OAuth Credentials (Client ID and Secret)

XERO Integration | 0:32:56

XERO Integration | Oauth2.0 | Access Token | Refresh Token | REST APIs

oAuth for Beginners 0:10:43

oAuth for Beginners - How oauth authentication🔒 works ?

Комментарии
Автор

Wow, such a nice and crisp explanation, please continue making such videos. I strongly believe everyone who watched it definitely liked it a lot.

prafulsinghvit
Автор

Amazing video Sascha! Very crisp explanation. Thank you!

mohdt
Автор

you are gem. your description is awesome.really appreaciate

sachinrane
Автор

Great explanation. I got a better understanding of auth from this content.

thevipinchand
Автор

Guys can we get a like on the video? He takes the time to make this clear video and we have over 1k views. Let's show some support . One love

TheAmeer
Автор

Reeeeally helpful video, thank you and take care 👍

alex_chugaev
Автор

I would be interested in setting up a fixed RefreshToken. As in case we've a sliding window, it is a never ending case, as long as somebody frequently uses the RefreshToken. All the time the RefreshToken Expiry time will again start from scratch. So where can we configure the hard fixed expiration limits? Thx.

mbssystems
Автор

If the user is using the client app and for some reason he keeps the laptop on sleep mode keeping the tab open on the browser so now when the user is back online does the user needs to authorize again by logging in or the user can continue accessing it smoothly without any hassle of logging in again into the application

AjayGupta-jssl
Автор

thanks Sascha, very clearly explained!

enriquesierragutierrez
Автор

thanks for the video.
I would like to share my understanding of your video and many online resources of why we can't just use access token as refresh token ?
There is scalability reason and there is a security reason.
Scalability reason: access token can be verified by resource server without DB lookup or central server (just need place to get the public key) usually good for 1 hour, can be used with any resource server, highlight third party resource server could have log leaks, weak security etc.. this not the authorization-server

The security reason: refresh_token is only ever exchanged with authorization server which is one issuing authorization and more secure, refresh-token can live forever but access token canno't that's why we must have 2.

This mitigates the risk of a long-lived access_token leaking, making access token good-til-revoked without refresh token

yotubecreators
Автор

What is the use of fixed lifetime? Why not using the original access token instead, or do I misunderstand the principle of the access (and refresh) token?

TheVincent
Автор

why do we need refresh token? if basically refresh token can be exchanged for access token, why don't we just make the access token to lives longer?

some people say that longer lives of access token is not recommended because when the token is stolen and it is still active, the attacker can use the token (and therefore we shortened the access token lifetime).

but refresh token can also be stolen right 🤷‍♂?

rizadwiandhika
Автор

Is kong entirely responsible to take care of refreshing the access token when the refresh token has not expired if yes then how? or do we need to hit some apis from our end to ask for new access token from the Kong

AjayGupta-kkef
Автор

Thank you very much for this informative video! -

upatthefarm
Автор

I'm confused by the word "may". For example, at 12:22, the words "refresh_token may be one time use only" are on the screen. In that context, does the word "may" indicate certainty or possibility? Perhaps the word "might" would be clearer. We commonly use "may not" to indicate certainty. We use "might not" to indicate uncertainty. The English language is imprecise here. I guess that you are saying "might be", as in "sometimes, it will be 'X' and sometimes 'not X'." But I'm just guessing.

newbieuserguy
Автор

Suppose expire time of refresh token is 1 month and someone can close the app and open the app after 2 month so in that case both token expired so what are the way to handle that situations?

vipulgoriya
Автор

In the sliding window implementation of refresh tokens, is it necessary to "authenticate" every time before generating the refresh token ? How can this be automated to generate the refresh token as that the end user experience is seamless?

prashanthbp
Автор

I have a message "Expired token" when trying to clear the cart and when I try to add items to the cart. After I redeploy the website it works fine for couple of days, and then crashes with that message. What's the solution? Do I need to add JWT to my project?

daniyartursunov
Автор

I dont understand the point of refresh tokens from a security standpoint though.

If the original exchange is intercepted (say via a MitM)- the attacker has both tokens.

If the access token is intercepted by a MitM later, cant the attacker return an 'expired' response, forcing the user to send the refresh token, so its moot anyway?

In what situation does a refresh token enhance security against a skilled attacker?

jonathanlevin
Автор

Also, when you were discussing refresh token revocation for self-encoded jwt, at around 9:57, you mentioned about the access token being sent to the token store for validation. But I thought the token store only contains (a blacklist of) refresh tokens

jasonbuenaventura