What are refresh token, access tokens and grant type?
I was researching about security in REST APIs and found the terms refresh tokens, access tokens and grant type referring to how tokens work and how the client requests resources
What are they and what are their differences?
2 answers
Access Tokens - is a type of credential that you can use to give permission external systems interact with your application. As you well cited for example, your set of REST APIs could only be consumed via an identifier that you yourself offer for your partner systems. This ID is the Access Token. Example practical of this, is when you need to consume some Google/Facebbok API.
Refresh Tokens - occasionally, you you may want to check the ID from time to time (Access Token)that the system that is consuming your API has. It can be by security reasons, monetization of your API, or even the frequency of api usage. It works as follows: You Give your partners 2 keys: 1) the Access Token (with short lifespan) and 2) the Refresh Token (used to pick up a new Access Token). That way, when your partner requests your application, he sends these 2 keys and your system checks if the Access Token is expired. If so, you generate a new access Token using the Refresh Token that the partner sent you.
Grant Types - when you hear this term, it refers to the ways that a system external features to gain access to an Access Token for consumption from your API. They can be:
- Authorization code
- default
- Resource owner credentials
- Client credentials
- Refresh token
All of these concepts in your question, are part of the OAuth 2.0 specification and you you can get more details here (OAuth 2.0 Docs) and here (OAuth 2.0 video workflow).
Access tokens are credentials used to access protected resources.
Refresh tokens are credentials used to obtain a new access token.
Grant type is used when the client wants to receive access token without transmitting important information, such as Client secret.