tags:

views:

35

answers:

1

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate one's self with a resource) as well as a refresh_token, which is used purely to create a new access_token:

http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.2

Why have both? Why not just make the access_token last as long as the refresh_token and not have a refresh_token?

+1  A: 

I don't know of a good reason why refresh tokens exist in the spec, but I do know that most OAuth providers don't use it.

Why not just make the access_token last as long as the refresh_token and not have a refresh_token?not have a refresh_token?

That is exactly what Google does in its implementation of OAuth - the access token is long lived, and they don't have refresh tokens.

In Facebook's OAuth implementation, access tokens are short-lived by default. But they still don't have refresh tokens. The client app can however request the access token to be long-lived by using the extended permission "offline_access".

sri