What is the difference between the Access Token and the Refresh Token?
- Access tokens carry the necessary information to access a resource directly. When a client passes an access token to a server managing a resource, that server can use the information contained in the token to decide whether the client is authorized or not. Access tokens usually have an expiration date and are short-lived.
- Refresh tokens carry the information necessary to get a new access token. Whenever an access token is required to access a specific resource, a client may use a refresh token to get a new access token issued by the authentication server. Common use cases include getting new access tokens after old ones have expired, or getting access to a new resource for the first time. Refresh tokens can also expire but are rather long-lived. Refresh tokens are usually subject to strict storage requirements to ensure they are not leaked. They can also be blacklisted by the authorization server.
What are the default values of these tokens in Jive?
By default, the Access Token is valid for 48 hours from issuance, and that is reflected in the "expires_in" parameter of the payload. A request made with an expired Access Token will result in a 401 response code. The Refresh Token has a default lifespan of 10 years and is used to request a new Access Token once the current one expires.
What are some examples of applications which leverage these token settings?
A common example would be the various Jive Mobile apps and their corresponding add-ons which allow said apps to be connected to a Jive instance. This connection is maintained through OAuth. If a user in your Jive Community were to be unexpectedly logged out of a mobile app without initiating the logout, a good place to look as a community manager would be the add-on settings. If the Refresh Token value is a small number, it is possible that the refresh token has forced users to establish a new access token. For this reason, it is recommended that the Refresh Token be set with an expiration value that is much larger than the access token.
What does revoking access do?
At any point, a user might want to revoke access to a previously granted client or view which applications they may have given access to. There are two ways to revoke an authorization that was granted by a user—through the Jive UI or by performing a REST API call.
To get to the management screen, click your Avatar on the main nav > Manage Add-ons > Apps Management. You can revoke access to any specific application that was once granted from that panel and it will revoke both the Access and Refresh Token, requiring the user to have to grant access again using the Authorization Code Grant method.