Refreshing access token using access token



  • Is it safe to refresh your access token using your access token (assuming of course it is still valid)?

    And, if not, what makes a refresh token that much more special that it is safe to be used as a means of refreshing access tokens?



  • From my understanding, token is a stateless credential of access control, as such, tokens for accessing a particular service must have a reasonably limited lifetime.

    Therefore, to gain such access, login and refresh tokens needs to be generated from a better-protected master key. This master key is typically the user credential (in the case of automated bots, application credential), and must be revocable should the service determine that it's being abused.

    That's based on my experience of designing in-house applications, others may have better answers.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2