'Refresh token refresh rate
Let's say we have a refresh token with a lifetime of a month. Within that month with each subsequent call to the "auth" endpoint(with username and password) should the same refresh token be returned, or should a new one be generated, and why?
Long story short...should the user be forced to log in again after the lifetime of the refresh token expires, or should he be allowed to refresh his tokens indefinitely?
Solution 1:[1]
The usual pattern I have seen used is that the initial authentication or refresh call is what would return both a new access token and a new refresh token. One use of the refresh token is for acquiring a new access token after the current/old access token has expired. Here is an example workflow:
- user authenticates via 1FA/2FA to the server
- access and refresh tokens are returned; refresh token lives slightly longer than access token, by design
- after some time, the access token expires, and the user sends the refresh token to the server
- a new access and refresh token are returned, continue from the second step above
As the refresh token intentionally will outlive the access token, there is no need to send a new refresh token with each request. Rather, simply let the user initiate the request for a new access/refresh token when the time comes.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Tim Biegeleisen |