Refresh Token
  • 04 Apr 2024
  • 1 Minute to read
  • Dark
    Light
  • PDF

Refresh Token

  • Dark
    Light
  • PDF

Article summary

Refresh tokens are credentials used to obtain new Access Tokens. A Refresh Token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information. Unlike Access Tokens, Refresh Tokens are intended for use only with authorization servers and not API. Refresh Tokens are subject to strict storage requirements to ensure that they are not leaked. Also, Refresh Tokens can be revoked by the Authorization Server.

A Refresh Token allows applications to request the Visma Connect authorization server to issue a new Access Token directly, without having to re-authenticate the user. It will work as long as the Refresh Token has not been revoked or expired. Checkout Offline Access for more details.

Refresh Token security considerations

Refresh Tokens are a high-value target for attackers, because they typically have a much higher lifetime than Access Tokens. The following techniques can be used to reduce the attack surface of Refresh Tokens.

Consent

It’s a good idea to ask for user consent. This way your app makes the user aware of what’s happening with offline access.

Sliding expiration

Refresh Tokens usually have a (much) longer lifetime than an Access Token. You can reduce the exposure though by also adding a sliding lifetime on top of the absolute lifetime. This allows for scenarios where a Refresh Token can be silently used if the user is regularly using the client, but needs a fresh authorize request, if the client has not been used for a certain time. In other words, they auto-expire much quicker without potentially interfering with the typical usage pattern. Use the "But will expire if not used in ... days" option to enable this.

One-time Refresh Tokens

Another option is rotating the Refresh Tokens on every usage. This also reduces the exposure, and has a higher chance to make older Refresh Tokens (e.g. ex-filtrated from some storage mechanism or a network trace/log file) unusable.

Replay detection

When one-time tokens are used, replay detection is enabled. This means, that if the same Refresh Token is used more than once, all access to the client/user combination is revoked. The downside of this approach is, that you might have more scenarios where a legitimate Refresh Token becomes unusable – e.g. due to network problems while refreshing them.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.