I am looking for a simple, clear explanation of how the refresh token is used. I understand that once the access token expires, a refresh token is used to get a new access token. Lets say a user is authenticated and gets a refresh token and an access token.
Question 1: When the access token expires, does IdentityServer4 (not the api that the user is trying to access) consider the user to be then "unauthenticated"?
Question 2: Lets say the access token expires, can i wait as long as i want before using the refresh token? I mean, if the access token expires now, and i do NOT have an immediate need to access a protected API, and that need comes up 5 hours later, can i just pick-up the refresh token and use it to get a new access token?
Question 3: What if i want an access token that never expires? Lets say i have an app like facebook, where users generally never really logout. How do i implement that functionality?
Please note that access tokens are used for clients to access resources (api) on behalf of the user. For a website that uses cookie authentication and has no external resources, there is no need for a refresh token.
Question 1: Assuming you are using JWT tokens: from the perspective of the resource, the request is unauthorized. As this is a direct request from client to resource, IdentityServer is not part of it.
From the websites perspective the user may still be logged in, because the cookie isn't expired. That can result in the 'odd' situation that an (for the website) authenticated user has no access to an external resource (access token expired). It's for this situation that you'll need the refresh token.
For cookie authentication there are ways to extend the lifetime of the cookie.
Question 2: You can wait as long as you like, but take into account that also the refresh token can expire. There are options to extend the lifetime.
Also note that you can request as many access tokens as you like. You don't have to wait until the access token expires. But this is probably not as efficient as checking the expiration of the access token.
When you configure one time use, you can use the refresh token only once. In the result of the request a new refresh token will be provided.
Question 3: Are you talking about a cookie or a token? For the website you can extend the lifetime of the cookie.