From the course: Web Security: OAuth and OpenID Connect (2019)
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Using access and refresh tokens
From the course: Web Security: OAuth and OpenID Connect (2019)
Using access and refresh tokens
- [Instructor] Two tokens form the foundation of OAuth. The access, and the refresh tokens. An access token is the easiest to understand. It's the hotel keycard that gave us access to specific resources for a specific time. When you make a request to an API, you use the access token. As long as the API validates the token, a malicious user can't add scopes or extend the expiration. Then the API performs the work or returns the data exactly as you'd expect. Unfortunately, if a bad guy steals it, they can usually use the API as us until expiration. The bright side is that just like a hotel keycard, it doesn't have our actual credentials or billing information embedded in it. This is also why there's a token revocation spec that comes in handy if your token is ever compromised. Refresh tokens are quite a bit different. First, they're opaque, which means they're not JWTs that we can decode and verify. As a result, refresh…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.