Access Token Refresh Mechanism

What is Access Token?

• Purpose: An access token is a credential used by a client to access protected resources on behalf of the user. It's typically sent with each request to authenticate the user.

• Lifespan: Access tokens are short-lived and have a limited validity period. They typically expire after a relatively short time, such as 15 minutes or 1 day. The short lifespan enhances security by limiting the window of opportunity for attackers to misuse stolen tokens.

What is Refresh Token?

• Purpose: A refresh token is a long-lived credential used to obtain new access tokens once they expire. It allows the client to maintain continuous access to protected resources without requiring the user to re-authenticate each time.

• Lifespan: Refresh tokens have a longer lifespan compared to access tokens. They are usually valid for days, weeks, or even months. However, they are still limited in duration and have an expiration date. Once a refresh token expires, the user will need to re-authenticate to obtain a new one.

Now, as we understood the purpose and lifespan of both the tokens, we are now good to move to Access Refresh Token Mechanism*,*

Here's a step-by-step breakdown of how this process works:

1. User logs in: When the user initially logs into the application, the server verifies the credentials and issues both an access token and a refresh token.

2. Access token expires: Over time, the access token expires according to its defined lifespan. When the client sends a request with an expired access token, the server responds with a "401 Unauthorized" status code.

3. Client sends refresh token: Along with the expired access token, the client also sends the refresh token with the request.

4. Server validates refresh token: Upon receiving the request, the server verifies the refresh token's authenticity and checks if it's expired. If the refresh token is valid and not expired, the server proceeds to the next step.

5. Server issues new access token: With a valid refresh token, the server generates a new access token and sends it back in the response to the client.

6. Client retries request with new access token: Upon receiving the new access token, the client retries the original request, this time including the new access token in the authorization header.

7. Server validates new access token: The server verifies the new access token's validity. If the token is valid and the user has the necessary permissions, the server processes the request and returns the desired resources.

By implementing this token refresh mechanism, the user experience is improved as the user doesn't need to manually re-authenticate after the access token expires. Instead, the client can seamlessly obtain a new access token using the refresh token, maintaining continuous access to protected resources without requiring additional user interaction.

References:

Here is the embedded video to understand the whole backend related to access token refresh mechanism in detail.

Interesting in learning the best production grade backend in Javascript, do checkout the whole series:

Special Thanks to Hitesh Choudhary for the easily explained and high class content.