There is a good debate and discussion on refresh tokens on StackOverflow. http://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens
Is this a good place to send developers to answer refresh token questions, and if not, can the illustrious smart people on this list update StackOverflow if necessary? Aloha, -- Jim Manico @Manicode (808) 652-3805 > On Aug 23, 2015, at 11:41 PM, Donghwan Kim <flowersinthes...@gmail.com> wrote: > > Hi, > > According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, > refresh token can be used to refresh an expired access token without > requesting resource owner to sign in again (uncomfortable experience). > However, if it's true, isn't it that refresh token might be used to request a > new access token even years later? and then isn't refresh token the same with > access token which never expires? > > I intended to use refresh token to implement persistent login by sending a > refresh request before issued access token expires (expires_in runs out). But > if refresh token works even if access token expired already, sending a > refresh request on application start up would be enough. > > So I'm not sure what I'm missing about refresh token as well as how to > implement persistent login using it (you can regard authentication here > pseudo-authentication illustrated in > https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). > What is the lifetime of refresh token? > > Thanks, > > -- Donghwan > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth