Why do you need to renew oauth2 access tokens?

A

ArrayPop2019-11-23 10:26:40

OAuth

ArrayPop, 2019-11-23 10:26:40

We are talking about access_token and refresh_token. It is not clear why you need to update the access token. A person receives an access token and works with some api, after the expiration of the token, he needs to get a refresh token to update the access_token. Well, firstly, you can increase the lifetime of the token so as not to update it, and secondly, when the token expires (for example, a month) as and with normal authorization through sessions, it would be possible to log out the user and force him to receive a new token. What is the need to update the token, I don’t understand, if it is created anew with each authorization?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

Denis, 2019-11-23
@ArrayPop

If quickly and primitively:
Sometimes it happens that "person1" needs to carry out some important operations right now (let's say transfer money from card to card), he goes to some site (which uses oauth2) starts to manipulate the account and each request to the site server leaves with an access_token, and it seems like everything is fine, but let's complicate a little a person is in the subway (cafe) and uses public wifi and "next to" sits "person2" (not even necessarily the administrator of this wifi glasses), which can run a sniffer that can read this token and use it according to its needs.
But due to the fact that access_token does not have a long service life, there is a high probability that "person2" will not have time to use it, because refresh_token will work, and new tokens will be received when "person1" has already left the metro (cafe), and will be connected to another network.