Forum Discussion

moconnor5's avatar
10 years ago

Refreshing Access Token Question

In the OAuth2 Flow page am I correct in reading that I need to continually store a new Refresh Token after everytime I refresh the access token?  Is there no way to just use one refresh token for the lifetime of a user I'm making api calls for?  Re-storing the refresh token each day is going to be problamtic with how my application runs.

  • I think what happens here is that when an access token expires, the refresh token is used to obtain a new access token and a new refresh token is issued back to the caller at this point.  This is called "Refresh token rotation" ( see https://tools.ietf.org/html/rfc6749#section-10.4 ).

     

    However I don't have visibility on the internals of our LiQL implementation so it may be best to check with an engineer who would be aware of this implementation detail for LiQL, and see whether my guess is correct :-)

2 Replies

  • SuzieH's avatar
    SuzieH
    Khoros Alumni (Retired)
    10 years ago

    Hi moconnor5 .

    The refresh token will not expire. 

     

    From the document: "The access token is valid for 24 hours. You can refresh the access token if needed. A refresh token can be issued at any time, but typically not until the access token expires. The refresh token does not expire."

     

    Let me know if I'm misundestanding your question.

  • PaoloT's avatar
    PaoloT
    Lithium Alumni (Retired)
    10 years ago

    I think what happens here is that when an access token expires, the refresh token is used to obtain a new access token and a new refresh token is issued back to the caller at this point.  This is called "Refresh token rotation" ( see https://tools.ietf.org/html/rfc6749#section-10.4 ).

     

    However I don't have visibility on the internals of our LiQL implementation so it may be best to check with an engineer who would be aware of this implementation detail for LiQL, and see whether my guess is correct :-)