Search code examples
securityweboauth-2.0oauth

get access token with access token?

From what I understand so far about access token is that in Code flow, Client could get access token with either authorization code or refresh token.

But.. can it get new access token with access token it holds before the token's expired?

I read RFC6749(1.1 ~ 1.4, 4.1, 4.2, 5 sections only for the sake of time) and I couldn't find such that

"access token must get issued by only explicit resource owner's grant or refresh token"

So I've been thinking..

How about issuing access token with access token.

What's wrong with this?

I'm almost noob to OAuth and learned it with only internet so I might totally misunderstand something D:

please enlighten me.. thanks!

Solution

  • You cant use an access token to get a new access token. Access tokens are self contained bearer tokens which grant you access to some data. (denoted by scope) For security reasons access tokens have a limited life time. Once it has expired you can not longer use it.

    Consider if someone with a malicious intent got a hold of your access token. They can then use this to access the data, but only for a limited amount of time. Once the access token expired they would no longer be able to access that data.

    refreshing access

    The first step of the auth process gives you an authorization code, this is a one time code extremely short lived probably five minutes and can only be used once. When you exchange this you will get an access token and a refresh token if you requested offline access.

    Refresh tokens can be used to get a new access token. You can use it to get access at a later date without requesting access of the user again. To get a new access token though you need to have the client and i and client secret that were used to create the access token in the first place, and in some cases you need to have access to the server that the redirect uri is residing. This way if the same a malicious person got access to their refresh token they cant use it to get a new access token unless they have your , client id, client secrete and server access.

    You may find this interesting Understanding oauth2 with curl