In this video, get an explanation of what native client includes, and the concepts of refresh token and access token.
In fact, the way it works is that if you keep using the application, the token just keeps extending it's lifetime. So that's really nice, so you don't have to keep signing in again and again. We know how much fun it is to sign in on a mobile device. So I have been mentioning this word access token a few times now, but it's basically a token that you put in the header of your request. And if the server validates that token and that token grants you access to a certain resource then your request succeeds, otherwise, it fails.
The important thing to realize about an access token that it is usually short lived. If you decrypt an access token using tools like JWTI or etc. you'll see that it's got IAT, issued at time, this is Unix time. NBF, not before time and EXP, expiration. There is various properties that the token has but usually you'll see that the token is short-lived, 30 minutes to 2 hours depending on the system.
The refresh token on the other hand, lasts a lot longer. Think of the refresh token as a long lasting token with which you can get an access token many times. So think of it this way, that if you authenticate to a server and the server gives you both an access token and a refresh token, then without the user having to provide credentials you now have the ability to use the refresh token only to get a new access token.
Not only that, you can use the refresh token to get multiple access tokens for multiple resources. And not only that, because you are actually going back to the server to get a new access token, roughly once an hour, on the server side we can revoke the session by invalidating the refresh token. But the key here is that the refresh token needs to be kept encrypted and secure. And this is something that only a native application could do.
- What is Microsoft Graph?
- Registering a web application in Azure AD
- Adding authentication logic and authentication UI
- Native applications calling Graph
- Reviewing scenarios where web apps involving Graph are useful
- Web applications with application identity and delegated identity calling Graph
- Daemons calling Graph