Refreshing Tokens

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Access tokens have limited and usually very short lifetime. This is for reasons of security and performance. After an access token has expired, the client has to request a new one to continue using the FotoWeb API. This can be done in two ways:

Repeat the authorization process.
Request a new access token using a refresh token.

Refresh tokens may be obtained together with access tokens if authorization code grant type is used. Refresh tokens are not available when using implicit grant type.

A new access token is requested using a refresh token as follows:

POST https://myfotowebserver.com/fotoweb/oauth2/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json


grant_type=refresh_token&refresh_token=REFRESH_TOKEN&client_id=CLIENT_ID&client_secret=CLIENT_SECRET

where

Parameter	Description
`grant_type`	REQUIRED. Must always be `refresh_token`.
`client_id`	REQUIRED. The unique ID of the client, which was obtained during client registration.
`client_secret`	The secret of the client, which was obtained during client registration. REQUIRED if the client is a web application (was registered with a client secret). MUST NOT BE GIVEN if the client is a native application or single-page application (was registered without a client secret).
`refresh_token`	REQUIRED. The refresh token obtained during authorization.

On success, the server responds as follows:

200 OK
Content-Type: application/json

with the following response body:

{
  "access_token": ACCESS_TOKEN,
  "token_type": "bearer",
  "expires_in": EXPIRES_IN_SECONDS,
  "refresh_token": REFRESH_TOKEN
}

where

Parameter	Description
`access_token`	The access token that is used to authorize requests to the FotoWeb API
`token_type`	This is always `bearer`.
`expires_in`	Number of seconds after which the token is expected to expire.
`refresh_token`	OPTIONAL: A new refresh token.

The application can obtain the access token by parsing the response body.

If FotoWeb issues a new refresh token in the response, then the old refresh token (i.e., the one used in the request) is no longer valid.

It is unspecified whether and when FotoWeb will issue new refresh tokens when they are used to request new access tokens, so the client MUST support this case, even if it appears that FotoWeb does not issue new refresh tokens.

Refresh token life span

Refresh tokens have unlimited lifetime. However, future versions may have possibilities of limiting refresh token lifetime. Also, both users and administrators may perform actions that cause refresh tokens to be deleted (such as by changing application settings or “logging our of all sessions”).

Applications need to handle the case that a refresh token has been invalidated and in this case should either ask the user to re-authenticate and/or show an error message (depending on what is appropriate and meaningful in the situation).

For this reason, it is not recommended to use refresh tokens for non-interactive applications, as the user would not be able to take action when a refresh token is invalidated. For non-interactive applications, please refer to Non-interactive application authorization with OAuth 2.0