interview

home / developersection / interviews / what is a refresh token and how is it used?

Ask Question
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

08-Jun-2025

A refresh token is a special token used in OAuth 2.0 and OpenID Connect that allows a client application to obtain a new access token without requiring the user to log in again.

Why Refresh Tokens?

  • Access tokens expire (e.g., in 1 hour) for security reasons.
  • Instead of asking the user to authenticate again, the app uses a refresh token to get a new access token silently.
  • This improves UX and security.

Structure

  • Refresh tokens are usually long, random strings (sometimes JWTs).
  • Stored securely by the client.
  • Never sent to resource APIs (only to the token endpoint).

Typical Flow with Refresh Token

  • User logs in using the Authorization Code flow.
{
  "access_token": "abc123",
  "refresh_token": "xyz789",
  "expires_in": 3600
}
  • Server returns:
  • After 1 hour (when access token expires):
    • Client sends:
POST /token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
refresh_token=xyz789
client_id=your-client-id
client_secret=your-client-secret
  • Server responds with a new access token (and optionally new refresh token).

Security Best Practices

Rule Description
Store securely Save refresh tokens in a secure place (e.g., encrypted DB)
Use HTTPS Always send refresh tokens over HTTPS
Rotate refresh tokens Send a new refresh token each time you use it
Revoke on logout Clear it on logout or server-side token revocation
Scope-limited Refresh tokens should be scoped and client-bound

When Not to Use

For public clients (SPAs, JS in browser), refresh tokens can be risky unless you use PKCE and Refresh Token Rotation.

Example (C# using IdentityModel library)

var client = new HttpClient();
var disco = await client.GetDiscoveryDocumentAsync("https://auth-server.com");

var tokenResponse = await client.RequestRefreshTokenAsync(new RefreshTokenRequest
{
    Address = disco.TokenEndpoint,
    ClientId = "client_id",
    ClientSecret = "client_secret",
    RefreshToken = "xyz789"
});

var newAccessToken = tokenResponse.AccessToken;

Summary

Feature Description
Purpose Get new access token without re-authenticating
Lifetime Longer than access token (hours, days, or more)
Security Must be stored securely; often issued only to trusted apps
Common With Authorization Code Flow, OpenID Connect

 

advertising
advertising

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy