Refresh tokens¶
Access tokens expire 1 hour after creation. To avoid having to re-authenticate, the refresh token can be used to obtain a new access token. This refresh token is sent by the OAuth 2.0 server when the client requests an access token.
The figure below describes the refreshing of an expired access token:
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
Steps (C) and (D) repeat until the access token expires. When the access token is invalid, the server sends an invalid token error (F). The client then presents its refresh token and receives a new access token.
Request¶
The client sends a request to the token endpoint:
POST /oauth/token.php HTTP/1.1
Host: quasydoctest.be
Authorization: Basic cWRfY29sbGVjdDpmQVk5YmJLWg==
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=0f8e15c029e8b3d6498810802cf1e538daab622c
The following parameters are required:
- client_id
MANDATORY. Contained in the Authorization header
- client_secret
MANDATORY. Contained in the Authorization header
- grant_type
MANDATORY. Value ‘refresh_token’
- refresh_token
MANDATORY.
Response¶
The response contains the following JSON payload:
{
"access_token": "1c9076bb4h5c8145b9d7di07d8d7bb5u2407f612",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "prodords"
}