OAuth 2.0 Tokens

OAuth stands for Open Authorization. The 2.0 refers to the version.

Known as an artifact, a token is a piece of data that holds a unique credential approval with just enough information to determine a user's identity, and give them the authority to access a particular protected resource.

When an application such as Statelake needs to access these protected resources, an Access Token lets the client signal to the server that it has received authorisation from the user to perform certain tasks or access certain resources. This Access Token is a bearer token and whoever holds the token, has the permitted access. So it is very important that the appropriate security measures are taken to mitigate any malicious or fraudulent use. This credential request for access is sent to the server identified and named by the Auth Endpoint or authorisation server.

Once the access has been approved and granted by the Auth Endpoint server, the server identified by the Token Endpoint issues the Access Token, which is always issued as a pair along with its associated Refresh Token.

For security purposes and depending on the server, Access Tokens may only be valid for a short length of time.

A Refresh Token is a single-use artifact that allows a client application to gain a new Access Token without forcing the user to log in again and be re-validated or authenticated.

With a successful request, the Access Token and its paired Refresh Token are re-issued by the Token Endpoint server, provided the Refresh Token is valid and unexpired. This method provides an enhanced user experience all while keeping a robust security interface.

And like Access Tokens, Refresh Tokens do not have a limitless life-span, although they are typically longer lived than Access Tokens.

Unlike Access Tokens, Refresh Tokens are only used with the Auth Endpoint server, and are never sent to a web service.