Tokens

It can be confusing sometimes to distinguish between different token types. They have different lifetimes and have different purposes. However, not all are available in all the situations.

  • ID tokens carry identity information encoded in the token itself, which must be a JWT (JSON Web Token).

  • Access tokens are used to gain access to resources by using them as bearer tokens. Access tokens are used as bearer tokens. A bearer token means that the bearer can access authorized resources without further identification. Because of this, it’s important that bearer tokens are protected. If someone can somehow get ahold of and “bear” your access token, he can masquerade as you. Lifetime of access tokens is usually one hour. While not mandatory by the standard in our case this token is also JWT.

  • Refresh tokens exist solely to get more access tokens. It is not convenient to ask an end-user to enter his credentials every time the access tokens expire. On the other side, from security perspective, it should be possible to prevent access to someone without waiting weeks before his token expires. Refresh tokens are valid for multiple weeks and they can be revoked. Additionally, it is possible to get a new refresh token using the old one or to extend lifetime of exiting refresh token so it is valid for multiple months.