Unlocking the Secrets of Access Tokens and Refresh Tokens: A Dive into Secure User Authentication in Web Applications

Access tokens and refresh tokens are components of the OAuth 2.0 authentication and authorization framework, which is commonly used to secure and manage access to resources in web applications.

Access tokens and refresh tokens are used to authorize users in the backend. Generally, the access token is employed to authorize users to access resources. Both tokens contribute to providing a good experience for users, allowing the development of a web app where we don't have to ask users for email and password each time the session expires.

The access token is generally short-lived, expiring within 24 hours or even within the hour. After it expires, the user must refresh it by logging in again via email and password. To avoid this process of refreshing tokens via email and password, another token called a refresh token is utilized.

The other token used is known as a storage token or refresh token, which is stored in our database. Suppose the user's access token is invalid or expired; in that case, the server sends the user a 401 request due to an unauthorized request. To handle this 401 request in the frontend, there are two ways:

First way: The initial approach to handling a 401 request is for the user to log in again via email and password, refreshing the access token.

Second way: The alternative method involves the frontend developer navigating to another route where email or password is not required. In this route, the access token is refreshed using the stored refresh token in the database and the refresh token in the session. and store access token and Refreshtoken in cookies and store newly generated refreshtoken into databases.

Unlike access tokens, refresh tokens are long-lived and are not meant to be included in every request to the resource server. Instead, they are securely stored on the server (e.g., on a database) and used to generate a new access token when needed.

We can say a refresh token makes it possible to re-validate a user without requiring them to provide their login information repeatedly. A Refresh token is a credential that is used to obtain a new access token when the current access token expires.

Looking ahead, there's a lot more to discover together. Stay tuned for upcoming articles that delve into new topics and expand on the foundations we've built here. Your curiosity and enthusiasm inspire me, and I'm grateful for each reader who embarks on this intellectual adventure.

Until next time, happy reading and exploring!