tech tales

Refresh Token v/s Access Token

Dipanwita Biswas's photo
Dipanwita Biswas
·

3 min read

An essential segment of developing any sort of application is its Backend. While deploying the backend of any web/mobile application or say website, it is requisite to know web tokens as security is the most important aspect.

In this article, we'll mainly focus on two basic web tokens-Refresh Token and Access Token

Refresh Token:

  • A refresh token is a credential used to obtain a new access token when the current access token becomes invalid or expires.

  • Unlike access tokens, refresh tokens have a longer lifespan and are typically stored securely on the client side (e.g., in a cookie or local storage).

  • When an access token expires, the client can use the refresh token to request a new access token without requiring the user to log in again.

  • Refresh tokens add an extra layer of security because they are less frequently transmitted over the network, reducing the risk of interception.

    Access Token:

    • An access token is a credential that represents the authorization granted to a client (e.g., a user or application) to access specific resources on behalf of the resource owner (user).

    • It is a short-lived token that provides limited and temporary access to protected resources.

    • Access tokens are commonly used in stateless authentication mechanisms like OAuth 2.0.

Here's a typical flow involving access and refresh tokens:

  1. Authentication:

    • The user logs in and provides credentials.

    • The server verifies the credentials and issues an access token and a refresh token.

  2. API Requests:

    • The client includes the access token in the header of API requests to access protected resources.

  3. Access Token Expiry:

    • Access tokens have a limited lifespan (e.g., 15 minutes).

    • When the access token expires, the client uses the refresh token to request a new access token without requiring the user to log in again.

  4. Token Refresh:

    • The server validates the refresh token and issues a new access token.

    • If the refresh token is expired or invalid, the user may need to reauthenticate.

Let's see a few examples:

  • Payment Gateways:

    • Scenario: An e-commerce website needs to securely process payments through a third-party payment gateway.

    • Implementation: After the user provides payment details, the website obtains an access token and a refresh token from the payment gateway. The access token is used to authorize and process the payment, and the refresh token is used to obtain a new access token for future transactions.

  • OAuth 2.0 in Social Media Integration:

    • Scenario: Imagine a user wants to log in to a third-party application using their Google or Facebook credentials.

    • Implementation: The application uses OAuth 2.0 to authenticate the user. After successful authentication, the third-party service issues an access token and a refresh token. The access token is used to fetch user data or perform actions on behalf of the user, while the refresh token is used to obtain a new access token when it expires.

The above knowledge has been gathered from the Channel: Chai Aur Code

https://youtu.be/L2_gIrDxCes?si=GVbk10cfjJTsMOpD

backendtokensWeb Development#HiteshChaudhary