When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access and refresh token pairs when the current access token expires.
Refresh tokens are also used to acquire extra access tokens for other resources. Refresh tokens are bound to a combination of user and client, but aren't tied to a resource or tenant. A client can use a refresh token to acquire access tokens across any combination of resource and tenant where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them.
Token lifetime
Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials.
Note
Refresh tokens sent to a redirect URI registered as spa expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users don't have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the sign-in page in a top-level frame to show the login session. This is due to privacy features in browsers that block third party cookies.
Token expiration
Refresh tokens can be revoked at any time, because of timeouts and revocations. Your app must handle revocations by the sign-in service gracefully by sending the user to an interactive sign-in prompt to sign in again.
Token timeouts
You can't configure the lifetime of a refresh token. You can't reduce or lengthen their lifetime. Therefore, it's important to ensure that you secure refresh tokens, as they can be extracted from public locations by bad actors, or indeed from the device itself if the device is compromised. There are a few things you can do:
Use Microsoft Intune app management services such as mobile application management (MAM) and mobile device management (MDM) to protect your organization's data
Not all refresh tokens follow the rules set in the token lifetime policy. Specifically, refresh tokens used in single page apps are always fixed to 24 hours of activity, as if they have a MaxAgeSessionSingleFactor policy of 24 hours applied to them.
Token revocation
The server can revoke refresh tokens because of a change in credentials, user action, or admin action. Refresh tokens fall into two classes: tokens issued to confidential clients (the rightmost column) and tokens issued to public clients (all other columns).
Change
Password-based cookie
Password-based token
Non-password-based cookie
Non-password-based token
Confidential client token
Password expires
Stays alive
Stays alive
Stays alive
Stays alive
Stays alive
Password changed by user
Revoked
Revoked
Stays alive
Stays alive
Stays alive
User does SSPR
Revoked
Revoked
Stays alive
Stays alive
Stays alive
Admin resets password
Revoked
Revoked
Stays alive
Stays alive
Stays alive
User revokes their refresh tokens
Revoked
Revoked
Revoked
Revoked
Revoked
Admin revokes all refresh tokens for a user
Revoked
Revoked
Revoked
Revoked
Revoked
Single sign-out
Revoked
Stays alive
Revoked
Stays alive
Stays alive
Note
Refresh tokens are not revoked for B2B users in their resource tenant. The token needs to be revoked in the home tenant.
To refresh your access token and an ID token, you send a token request with a grant_type of refresh_token . Be sure to include the openid scope when you want to refresh the ID token. If the refresh token is valid, then you get back a new access and the refresh token.
All SSO tokens, including the native OpenEdge SSO token, must expire after some set interval. They can be refreshed either by: Performing a full direct login by the client. Returning to the point where an SSO token was issued and requesting a new token with an extended expiration.
To get a refresh token , you must include the offline_access scope when you initiate an authentication request through the /authorize endpoint. Be sure to initiate Offline Access in your API. For more information, read API Settings.
Access tokens are used in token-based authentication to gain access to resources by using them as bearer tokens. Refresh token is a long-lived special kind of token used to obtain a renewed access token. ID token carries identity information encoded in the token itself, which must be a JWT.
Go to the Settings tab. Under Refresh Token Expiration, enable Absolute Expiration. When enabled, a refresh token will expire based on an absolute lifetime, after which the token can no longer be used. If rotation is enabled, an expiration lifetime must be set.
The main purpose of using a refresh token is to considerably shorten the life of an access token. The refresh token can then later be used to authenticate the user as and when required by the application without running into problems such as cookies being blocked, etc.
What is Refresh Token in OAuth? A Refresh Token is a central part of OAuth, and consequently, OpenID Connect. It is a kind of token that can be used to get additional access tokens. It is a sort of "token granting token" in that it can be sent to the OAuth server to obtain new ones.
The minimum token lifetime is 5 minutes, and the maximum is 1,440 minutes (24 hours)1. If your application has been granted the offline_access scope, the refresh token lifetime is 14 days1. However, you can customize these token lifetimes based on your organization's needs.
Anytime the SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days. If the SSO session token isn't used within its Max Inactive Time period, it's considered expired and will no longer be accepted.
The refresh_token is only provided on the first authorization from the user. Subsequent authorizations, such as the kind you make while testing an OAuth2 integration, will not return the refresh_token again.
Refresh tokens are random strings generated by the authentication server. They are generated after successful authentication (for example, if the username and password of the user are valid). Their sole purpose is to remove the need to exchange user credentials repeatedly.
If your app needs to call APIs on behalf of the user, access tokens and (optionally) refresh tokens are needed. These can be stored server-side or in a session cookie. The cookie needs to be encrypted and have a maximum size of 4 KB.
Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days. Zero allows refresh tokens that, when used with RefreshTokenExpiration = Sliding only expire after the SlidingRefreshTokenLifetime is passed.
A refresh token is a special key that enables a client for an API or service to retrieve new access tokens without requiring the user to perform a complete login. In other words, an application can exchange a valid refresh token for a new access token.
During user authentication, your IdentityServer collects data about the user, e.g. authentication method, authentication time, some protocol information and a unique identifier for the user that was authenticated, to communicate back to the client application “what happened at the token service”.
The ID token is properly signed by Google. Use Google's public keys (available in JWK or PEM format) to verify the token's signature. These keys are regularly rotated; examine the Cache-Control header in the response to determine when you should retrieve them again.
You could check if the access token is expired and refresh it (if need be) every time you make an API call. That could work, but you could potentially run into a situation where the refresh token actually expires. If that happens your API call will fail and you'll need to request authorization again to get new tokens.
Introduction: My name is Eusebia Nader, I am a encouraging, brainy, lively, nice, famous, healthy, clever person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
