Refresh token: concept, purpose, way it works
Get familiar with the concept of the refresh token. Learn why and when it is useful. Check how to use it securely.
Refresh token in a nutshell
Refresh tokens are long-lived tokens used to acquire a new access token when the present access token gets invalid or expires. They enable the client to get a new access token without prompting the user.
The refresh token is an string of characters that represents the authorization granted to the client by the resource owner. Refresh tokens are exchanged between the client and the authorization server and never sent to the resource server.
Refresh tokens are issued to the client by the authorization server. Issuing a refresh token is optional at the discretion of the authorization server. If the authorization server issues a refresh token, it is included when issuing an access token.
Enable refresh tokens in ACP
If you want ACP to issue refresh tokens, you need to configure your workspace and application settings accordingly. See the video for the guidelines on how to enable the refresh token grant, verify the offline access scope, and configure TTL for your refresh token. Alternatively, check the instructions in Configure workspace settings and Configure client settings.
Configure workspace settings
In ACP, navigate to the workspace where your application can be accessed and select Settings from the sidebar.
Open the Authorization view, navigate to Allowed grant types, select the Refresh token checkbox, and save your changes.
Configure client settings
Refresh tokens works well with backend applications but should not be used by single-page applications (SPAs).
In ACP, navigate to the workspace where your application can be accessed for configuration, select Applications > Clients from the sidebar, open the application you want to configure, and go to its OAuth view.
Navigate to Grant types, add refresh_token from the drop-down list, and save your changes.
Open the Scopes view, select the Profile service to expand the list of available scopes, and make sure that the offline access scope is enabled.
Refresh tokens are long-lasting artifacts. They are long-lived tokens with TTLs up to a few years.
In ACP, there are TTLs for refresh tokens predefined per workspace (authorization server). You can modify them by entering a particular workspace and navigating to Auth Server > Tokens > Time to Live Settings > Refresh token TTL.
Way it works
The client can request a refresh token early in the process of retrieving an access token. For details on the authorization grant flow featuring the refresh token, see Refresh token grant.
Make sure your refresh tokens are not stored in the browser local storage unless you have the refresh token rotation set up.