I was researching about security in REST APIs and found the terms refresh tokens, access tokens, and grant type by referring to how tokens and how the client requests the features
What are they and what are their differences?
What are refresh token, access tokens, and grant type?
11
asked by anonymous 29.10.2018 / 18:10
2 answers
5
Access Tokens - This is a type of credential that you can use to give permission external systems interact with your application. As you have mentioned for example, its set of Rest APIs could only be consumed by means of an identifier that you even offer to your partner systems. This ID is the Access Token. An example It's practical when you need to consume some Google API / Facebbok.
Refresh Tokens - Occasionally, you may want to check your ID from time to time (Access Token) that the system that is consuming your API has. Can be by security reasons, monetization of your API or even the frequency of use of the api. It works as follows: You give your partners 2 keys: 1) Access Token (with a short lifetime) and 2) The Refresh Token (Used to get a new Access Token). That way, when your partner requests your application, it sends those 2 keys and your system checks if the Access Token is expired. If so, you new Access Token using the Refresh Token that the partner sent you.
Grant Types - When you hear this term, it refers to the ways a system has access to an Access Token for consumption in its API. They can be:
All these concepts in your question are part of the OAuth 2.0 specification and you you can get more details here ( OAuth 2.0 Docs ) and here ( OAuth 2.0 Workflow Video ).
04.11.2018 / 19:33
3
Access tokens are credentials used to access protected resources.
Refresh tokens are credentials used to get a new access token.
Grant type is used when the client wants to receive access token without transmitting important information, such as client secret.
01.11.2018 / 13:00