Austin's SWE Notes 😭

    Refresh Token

    Is to renew the Access Token in case the access token is expired.

    Refresh token can be random ID or JWT

    • Normally we use Random ID so that we can store in a database and manually invalidate. Which give us more secure way to control
    • Also we can consider Refresh token rotation to keep the token changing

    Considering the following flow:

    Pasted image 20230807211640.png

    1. Application authorise
    2. Server returns access_token and refresh_token
    3. Application uses the access_token to authorised
    4. Server approved the request
    5. access_token expires
    6. Application uses the access_token to authorised
    7. Server deny the request
    8. Application uses the refresh_token to get the new access_token
    9. Application uses the access_token to authorised
    10. Application uses the access_token to authorise

    Refresh token rotation

    To avoid exposing the refresh token, we can rotate the refresh token every single time we receive a refresh token. So the flow happen as below:

    1. access_token expires
    2. Client uses refresh_token to get a new access_token
    3. Server invalidate previous refresh_token and return new access_token and refresh_token
      1. To invalidate, you typically have to either store the last refresh_token per user or keep track of their last one and make sure the new one is different than the last one
      2. Or keep track of expired refresh_token to invalidate
    4. Client stores the new refresh_token
    ← RAID 1
    Request Coalescing →