OAuth 2.0 Tokens: Access Tokens, Refresh Tokens, and Authorization Flows

OAuth 2.0 is the industry-standard protocol for authorization, enabling applications to obtain limited access to user accounts on HTTP services. At the heart of OAuth 2.0 are tokens - strings that represent specific access rights granted to a client application.

OAuth 2.0 Token Types

Access Token

The access token is a credential that represents the authorization granted to the client. It's typically a JWT or an opaque string that the resource server accepts as proof of authorization. Access tokens have a limited lifespan, usually ranging from minutes to hours, to minimize the impact of token theft.

Refresh Token

Refresh tokens are long-lived credentials used to obtain new access tokens without requiring user interaction. They enable "remember me" functionality and reduce the friction of repeated logins. Refresh tokens must be stored securely and can be revoked by the authorization server.

OAuth 2.0 Grant Types

• Authorization Code: The most secure flow, suitable for server-side applications. The client receives an authorization code that is exchanged for tokens at the token endpoint.
• Authorization Code with PKCE: An extension for public clients (SPAs, mobile apps) that prevents authorization code interception attacks.
• Client Credentials: Used for machine-to-machine communication where no user is involved.
• Device Authorization: For devices with limited input capabilities (IoT, smart TVs).

Token Endpoint

The token endpoint is where clients exchange authorization grants for tokens. This endpoint authenticates the client, validates the grant, and issues access and refresh tokens. All communications with the token endpoint must use TLS.

Conclusion

OAuth 2.0 tokens provide a robust framework for delegated authorization. Understanding the different token types and grant flows is essential for building secure, user-friendly applications that integrate with third-party services.