The lifetime of a refresh token is up to the AS — they can expire, be revoked, etc. The difference between a refresh token and an access token is the audience: the refresh token only goes back to the AS, the access token goes to the RS.
Also, just getting an access token doesn’t mean the user’s logged in. In fact, the user might not even be there anymore, which is actually the intended use case of the refresh token. Refreshing the access token will give you access to an API on the user’s behalf, it will not tell you if the user’s there. OpenID Connect doesn’t just give you user information from an access token, it also gives you an ID token. This is a separate piece of data that’s directed at the client itself, not the AS or the RS. In OIDC, you should only consider someone actually “logged in” by the protocol if you can get a fresh ID token. Refreshing it is not likely to be enough. — Justin > On Aug 24, 2015, at 1:41 AM, Donghwan Kim <flowersinthes...@gmail.com> wrote: > > Hi, > > According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5 > <http://tools.ietf.org/html/rfc6749#section-1.5>, refresh token can be used > to refresh an expired access token without requesting resource owner to sign > in again (uncomfortable experience). However, if it's true, isn't it that > refresh token might be used to request a new access token even years later? > and then isn't refresh token the same with access token which never expires? > > I intended to use refresh token to implement persistent login by sending a > refresh request before issued access token expires (expires_in runs out). But > if refresh token works even if access token expired already, sending a > refresh request on application start up would be enough. > > So I'm not sure what I'm missing about refresh token as well as how to > implement persistent login using it (you can regard authentication here > pseudo-authentication illustrated in > https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg > > <https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg>). > What is the lifetime of refresh token? > > Thanks, > > -- Donghwan > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
