Austin's SWE Notes 😭

    Refresh Token

    Is to renew the Access Token in case the access token is expired.

    Considering the following flow:

    Pasted image 20230807211640.png

    1. Application authorise
    2. Server returns access_token and refresh_token
    3. Application uses the access_token to authorised
    4. Server approved the request
    5. access_token expires
    6. Application uses the access_token to authorised
    7. Server deny the request
    8. Application uses the refresh_token to get the new access_token
    9. Application uses the access_token to authorised
    10. Application uses the access_token to authorise

    Refresh token rotation

    To avoid exposing the refresh token, we can rotate the refresh token every single time we receive a refresh token. So the flow happen as below:

    1. access_token expires
    2. Client uses refresh_token to get a new access_token
    3. Server invalidate previous refresh_token and return new access_tolen and refresh_token
    4. Client stores the new refresh_token
    ← RAID 1
    Request Coalescing →