Token exchange
Tokens
The token exchange flow is a crucial feature of OAuth 2.0, allowing clients to maintain continuous access to resources without requiring users to re-authenticate repeatedly. The access token response, contains the following details
{
"access_token":"",
"expires_in":1209600,
"refresh_expires_in":15551995,
"refresh_token":"",
"token_type":"Bearer",
"not-before-policy":1683537926,
"scope":"offline_access core_data exports email profile"
}
- access_token: The new access token used to access protected resources.
- expires_in: The duration in seconds until the access token expires (e.g., 1,209,600 seconds, which is approximately 14 days).
- refresh_expires_in: The duration in seconds until the refresh token expires (e.g., 15,551,995 seconds, which is approximately 180 days).
- refresh_token: A token used to obtain a new access token when the current one expires.
- token_type: The type of the token issued (e.g., “Bearer”).
- not-before-policy: The timestamp indicating when the token becomes valid.
- scope: The scope of access granted by the token (Read more about: Token Scopes)
Refresh token expiration
The
refresh_expires_in
value (approximately 6 months) indicates the lifespan of the current refresh token. Each token exchange using a refresh token provides a new refresh token valid for another 6 months. Clients can continue this token exchange process for up to ~6-24 months.
Token exchange flow
The token exchange flow in OAuth 2.0 allows clients to obtain new access tokens using refresh tokens, ensuring continuous access to resources without requiring users to re-authenticate. Here’s how the token exchange process works:
- Obtain Refresh Token: Ensure you have a valid refresh token, which was issued along with the initial access token.
- Send a request for the authorization server to exchange the refresh token for a new access token. This request should include:
- grant_type: Set to refresh_token to indicate that you are using a refresh token.
- refresh_token: The refresh token obtained from the previous access token request.
- client_id & client_secret: This combination is used as basic authentication (base64 encoded)
curl --location 'https://id.my.candis.io/auth/realms/candis/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization:Basic $(echo -n "<ClientId>:<ClientSecret>" | base64)' \
--data-urlencode 'refresh_token=<RefreshToken>' \
--data-urlencode 'grant_type=refresh_token'
The server responds with a new access token set, the duration until the token expires.
Updated 26 days ago