Why do we need refresh token to get a new access token?

amir · June 1, 2022, 7:05am

Hi all

I know that in theory (or practice) when an access token is expired I need to use the refresh token to get a new one
and this is done using the refresh_token grant type in the request to the token endpoint.

However, I noticed that in our code (that was written before my time) when the expiration time of an access token is expired we don’t use the refresh token - we send to the token endpoint a new request with grant type client_credentials
and in the response, we get a new access token (and no refresh token)

here is a screenshot of the request and response (from Postman):

so, my question is: why do we need the refresh token in the first place if we can just request a new access token with the client_credentials grant type ?

thanks

dasniko · June 1, 2022, 11:09am

Client authentication with the client credentials flow doesn‘t contain a refresh token and no session on the KC server. Clients just re-authtenticate when the access_token is expired.
With users, this is different. Then you want to have a session and thus you need a refresh token, otherwise the user would have to re-authenticate again every time the access_token gets expired.

Topic		Replies	Views
Understanding Access token expiration when using client_credentials grant type Getting advice	1	1973	August 19, 2022
Refresh Token Strategy Getting advice	4	4483	August 20, 2020
Every time i renew an access token (via the refresh_token grant), another new refresh token is returned	1	448	February 17, 2020
Conceptual question - why does logout require a refresh token?	2	2176	March 24, 2023
Can the OIDC refresh token request optionally return a new refresh token? Getting advice oidc	0	372	November 15, 2019

Why do we need refresh token to get a new access token?

Related Topics