Guides

Token exchange

Suggest Edits

Tokens

The token exchange flow is a crucial feature of OAuth 2.0, allowing clients to maintain continuous access to resources without requiring users to re-authenticate repeatedly. The access token response, contains the following details 

{
   "access_token":"",
   "expires_in":1209600,
   "refresh_expires_in":15551995,
   "refresh_token":"",
   "token_type":"Bearer",
   "not-before-policy":1683537926,
   "scope":"offline_access core_data exports email profile"
}

  • access_token: The new access token used to access protected resources.
  • expires_in: The duration in seconds until the access token expires (e.g., 1,209,600 seconds, which is approximately 14 days).
  • refresh_expires_in: The duration in seconds until the refresh token expires (e.g., 15,551,995 seconds, which is approximately 180 days).
  • refresh_token: A token used to obtain a new access token when the current one expires.
  • token_type: The type of the token issued (e.g., “Bearer”).
  • not-before-policy: The timestamp indicating when the token becomes valid.
  • scope: The scope of access granted by the token (Read more about: Token Scopes)

📘

Refresh token expiration

The refresh_expires_in value (approximately 6 months) indicates the lifespan of the current refresh token. Each token exchange using a refresh token provides a new refresh token valid for another 6 months. Clients can continue this token exchange process for up to ~6-24 months.

Token exchange flow

The token exchange flow in OAuth 2.0 allows clients to obtain new access tokens using refresh tokens, ensuring continuous access to resources without requiring users to re-authenticate. Here’s how the token exchange process works:

  • Obtain Refresh Token: Ensure you have a valid refresh token, which was issued along with the initial access token.
  • Send a request for the authorization server to exchange the refresh token for a new access token. This request should include:
    • grant_type: Set to refresh_token to indicate that you are using a refresh token.
    • refresh_token: The refresh token obtained from the previous access token request.
    • client_id & client_secret: This combination is used as basic authentication (base64 encoded)

curl --location 'https://id.my.candis.io/auth/realms/candis/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization:Basic $(echo -n "<ClientId>:<ClientSecret>" | base64)' \
--data-urlencode 'refresh_token=<RefreshToken>' \
--data-urlencode 'grant_type=refresh_token'

The server responds with a new access token set, the duration until the token expires.

Updated 10 days ago