Messages - Why is a refresh token needed if an authentication code is being used?

Issue #343 resolved
Michael Jones created an issue

Why is a refresh token needed if an authorization code is being used? I thought the whole point of the authorization code was to get the refresh token so it never crosses the wire?

But, even more interestingly, OpenID negates the whole purpose of the refresh token!


The whole point of the refresh token was to give the client a handle for the user that could be anonymized so that delegating a permission didn’t mean also giving up the user’s identity. But the whole @#$@ purpose of OpenID is to IDENTIFY THE USER!!! So in an OpenID context there should never be a need to have a refresh token. Instead we should be able to include the user’s identity directly into the call.

Comments (4)

  1. Nat Sakimura


    These statements are false.

    Purpose of refresh token is that unlike access token, it is only presented to the authorization server. Access token would be shown to any number of resources on the other hand. Thus, access token are more susceptible to the leakage. This is the reason to make the validity period of access token short and regain access token using long term refresh token.

    Refresh token may act like PPID, but it is a side effect. The resource whose access was granted through refresh token may have nothing to do with a particular user (entity). It is not identifying a user. It is identifying the resource access grant.

    Also, OpenID on the other hand identifies an entity, but this "identify" may be using PPID, or even transaction ID per refresh token.

  2. John Bradley

    Connect is a profile of OAuth.

    If the Authorization server is granting long term access to the client for the user info endpoint or other resources, using a refresh token that may be down scoped is preferred over granting access tokens that don't expire.

    Access tokens should be short lived so that the protected resource can be stateless.

  3. Log in to comment