So, why do we need both access tokens and refresh tokens? Why don’t we just set a long expiration date, like a month or a year for the access tokens? Because, if we do that and someone manages to get hold of our access token they can use it for a long period, even if we change our password! Now, let’s discuss why we actually need refresh tokens. Once the refresh token expires, the client needs to authenticate with the authentication server once again and the flow repeats from step 1.Steps 3 through 7 keep on repeating until the refresh token expires.The authentication component issues a new access token and refresh token.Once the access token expires, the client requests a new access token by providing the refresh token.After that, the client requests the resource endpoints for a protected resource by providing the access token.Then, the authentication component issues the access token and the refresh token.Now, we are going to introduce the refresh token to our authentication workflow: The lifetime of a refresh token is usually set much longer compared to the lifetime of an access token. When access tokens expire, we can use refresh tokens to get a new access token from the authentication component. Refresh tokens are credentials that can be used to acquire new access tokens.
Refresh token-based authentication workflow Once the access token expires, the client needs to authenticate with the authentication component once again and the flow repeats from step 1.Steps 3 & 4 keep on repeating until the access token expires.The resource endpoint validates the access token and provides a protected resource.After that, the client requests the resource endpoint for a protected resource by providing the access token.Then, the authentication component issues the access token.First, the client authenticates with the authentication component by providing the credentials.