Refresh tokens are also used by public clients, e.g. native apps. OIDC allows to acquire a new id token from a refresh token as well. Note: this does not mean a fresh authentication but a refreshed id token containing the data of the original authentication transaction.
Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <[email protected]>: >I think Nat’s diagram about the problems of doing pseudo authentication >with OAuth is being taken out of context. > >The refresh token dosen’t expire, it is revoked by the user or system. >In some cases refresh tokens are automatically revoked if the users >session to the AS ends. I think AOL typically revokes refresh tokens >when sessions terminate. > >OpenID Connect provides a separate id_token with a independent lifetime >from the refresh token. A client may keep a refresh token for a much >longer time than the user has a login session with the AS. > >Refresh tokens are typically used by confidential clients that are >using a client secret in combination with the refresh token for getting >a new access token. > >By design access tokens should be short lived as the AS is expected to >have a way of revoking refresh tokens but not access tokens. >A access token that dosen't expire , and can’t be revoked is not a good >idea. > >John B. > > >> On Aug 24, 2015, at 2:41 AM, Donghwan Kim ><[email protected]> wrote: >> >> Hi, >> >> According to Figure 2 from >http://tools.ietf.org/html/rfc6749#section-1.5 ><http://tools.ietf.org/html/rfc6749#section-1.5>, refresh token can be >used to refresh an expired access token without requesting resource >owner to sign in again (uncomfortable experience). However, if it's >true, isn't it that refresh token might be used to request a new access >token even years later? and then isn't refresh token the same with >access token which never expires? >> >> I intended to use refresh token to implement persistent login by >sending a refresh request before issued access token expires >(expires_in runs out). But if refresh token works even if access token >expired already, sending a refresh request on application start up >would be enough. >> >> So I'm not sure what I'm missing about refresh token as well as how >to implement persistent login using it (you can regard authentication >here pseudo-authentication illustrated in >https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg ><https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg>). >What is the lifetime of refresh token? >> >> Thanks, >> >> -- Donghwan >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > > > >------------------------------------------------------------------------ > >_______________________________________________ >OAuth mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
