Oauth Refresh Token

0 helps to define the flow to get the access token by which protected resources can be accessed. Moreover, we don't want to keep running refresh requests if there is no chance of renewal because the access_token expiry date is past. …The OpenID Connect specification has a third,…called the ID token. リフレッシュトークンからアクセストークンを取得. The refresh token enables your application to obtain a new access token if the one that you have expires. The access token is used to authenticate all your requests, but expires in two hours. Set refresh_token to the refresh token value returned from the authorization code grant request. A refresh token is returned with the access token when exchanging an authorization code as part of the two-step and three-step OAuth processes, and it can be used as long as the access token remains active. This article describes a simple way to grab some OAuth 2. Refresh tokens must be bound to a client – you typically don’t want that a refresh token from your desktop client can be used from the web client and so on (this is also important for being able to revoke them). After the client consumer has been authorized for access, they can use a refresh token to get a new access token (session ID). To get a new access token requires a new product login and new token request, or a request that contains a refresh token. Demonstrates how to refresh an expiring Dynamics CRM access token using the refresh token. To see the relevant list of CAS properties, please review this guide. If using the Client Credentials Grant, it should be easy enough to request additional tokens by replaying the original token request. The presence of the refresh token means that the access token will expire and you’ll be able to get a new one without the user’s interaction. We’ll be creating hybrid authentication flow to implement refresh token using grant types Resource Owner Password Credentials(ROPC) and Refresh Token. IdentityServer4 is an OpenID Connect and OAuth 2. These tokens allow to generate a new access token when it expired. com service will require the service to know how to direct you to the OAuth login page, capture and store the access token credentials from the redirect URL and refresh the token when necessary, none of which the service know how to do today with the tooling. The following flow assumes, the client has already got the authorization code. After my previous Token Based Authentication post I've received many requests to add OAuth Refresh Tokens to the OAuth Resource Owner Password Credentials flow which I'm currently using in the previous tutorial. To refresh your tokens when using implicit flow you can use a silent refresh. Authenticate Once, Refresh the Rest – The new indefinite Refresh Token can be used to request a new Access Token to maintain the sync between your app and a user’s Infusionsoft application. The access token obtained will be consumed by a multitude of processes that require authentication back to Salesforce to access Force. The Streamlabs API uses OAuth 2 for authentication. So, for example, if your access token has expired, but its refresh token has not yet expired, you can use them to generate a new set of tokens (refresh tokens). Once registered, you can begin involving the user in an OAuth dance to gain an access token. The imgur doc states that it requires a post method with a body containing refresh_token, client_id, client_secret, and grant_type(which is just "refresh_token"), an. The access token will be used for subsequent API calls that require authentication, while the purpose of the refresh token is to obtain a new valid access token or just revoke the previous one. Embedded Google OAuth Refresh Token This information is intended for developers of apps that have embedded the Google OAuth refresh token of a hardcoded user in their app. The refresh token. require 'dropbox_sdk' client = DropboxClient. This is the explicit flow of authentication with Office365 from the web application. The client can use the refresh token to request another access token, avoiding involving the user again until the refresh token expires. These are the oAuth Scopes that selected in Salesforce. Store the returned refresh_token for the purpose of getting a new access_token after the access token expires. The Refresh Token is a special token used to generate additional Access Tokens. This filter supports the OAuth 2. new("") puts client. We can after that continue to use the Access Token until it expires and after that use the Refresh Token to get a new Access Token. At the end of this API call, your environment should have a new access_token and refresh_token value, and you should be able to make any of the other API calls. Note: Save refresh tokens in secure long-term storage and continue to use them as long as they remain valid. Das Refresh Token hat ebenfalls eine zeitlich begrenzte Gültigkeit. Refresh Tokens¶. If a refresh token intended for a such a client was stolen, the thief could use it to request access tokens for that user, without their knowledge or consent. This library adds a new grant type for OAuth2 Server: Refresh Token Grant Type. Refreshing JWTs with Refresh Tokens | ASP. Later, the OAuth 2.   This same token was returned upon refresh of the Access token. The most common case of this for this is native mobile applications that run into issues of network connectivity during the refresh cycle and are unable to complete the full request/response life cycle. With the refresh token the user does not need to login again and they use refresh token to request a new authorization token. 0 provides specific authorization flows for web applications, desktop applications, mobile phones, and smart devices. • Access Token:OAuth token used to directly access protected resources on behalf of a user or service. All main parts of the OAuth 2. NET solution online that tells me where or how to store this from the perspective of my consuming web application. Instead of using a web view, you can open up the OAuth2 log-in request in a frame, an iframe or a separate window. You'll start off by looking at an insecure and badly-designed ASP. The user must login again. To use this access token, you need to construct a normal HTTP request and include it in an Authorization header along with the value of Bearer. Specifically, this is intended to use access tokens acquired using the Authorization Code grant and can refresh those tokens using a optional refresh token. The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it. The access token response contains the expires_in parameter that tells you how long the token will be valid for. Refresh tokens are used to obtain new, valid access tokens after the original access token has expired or been revoked. Next, hit the Send button to request a new access_token. This is the flow you are following: Start processing steemit stream; Fetch users; Get refresh_token from user; Use refresh_token to get. So, for example, if your access token has expired, but its refresh token has not yet expired, you can use them to generate a new set of tokens (refresh tokens). Use the code you get after a user authorizes your app to get an access token and refresh token. Im my opinion, the two-token system is a very convoluted solution that feels like it was trying to address architecture optimizations and not to make security easy. Refresh Token Refresh tokens are used as a way to gain a new access token after the original access token has expired. 0 provides specific authorization flows for web applications, desktop applications, mobile phones, and smart devices. If the token has expired, a new access token will be retrieved by either re-authentication or by using an available refresh token. The size of third-party tokens must be 2 KB or smaller. 0 specification. Access tokens have a limited life span and when you receive one you'll also receive an Expiry Time for it and a Refresh Token. In these cases, the refresh token is used to obtain a new access token. Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token. Now, the client has to use the same private key and public key pair used before to generate the token binding message and once again, includes the base64url-encoded value of it to the Sec-Token-Binding HTTP header. Starting on October 15, 2018, the OAuth endpoints should be used to obtain short-lived access tokens and refresh tokens instead. For Integration with Google API using OAuth 2. So, after 24. 0 authorization server. We have encountered an issue on our live environment: The Multi Factor Authentication does not work anymore. When deciding which project to use, also consider other projects like OAuth, an OAuth 1 implementation that doesn't rely on you having https in your. com/oauth/token, using the latest unexpired refresh token, client ID, and client secret. We should make sure Serialize the Access Token ticket and set to Refresh Token's Protected Ticket after reset the Access Token's issued date and expire date, it's very important. rr_recommendationHeaderLabel}} {{trainingrecommendationsServicesScope. It doesn't have a refresh token, as it could be overtaken by an attacker. Previously, the refresh token returned was good for 1 year. The application should store the refresh token for future use and use the access token to access a Google API. 0 framework for ASP. oAuth and Refresh tokens When using the Auth Code Grant with a 3rd party oAuth provider for account linking, the provider would redirect back to the Amazon pitangui fixed URI with the access token, and I presume the refresh token. Unfortunately, unlike standard oA… I am using Envato API for generating Access token and refresh token. cs line 114). After an access token expires, using it to make a request from the API will result in an “Invalid Token Error”. Refresh Tokens. LinkedIn offers static refresh tokens. client_id: The Client ID (Application ID) of the application we created in the previous step. client_id: The account’s client_id value, provided after registering for OAuth2 access. Most access token grant response therefore include a refresh token that can then be used to generate a new access token, without the need for end user participation:. We can after that continue to use the Access Token until it expires and after that use the Refresh Token to get a new Access Token. When you first authenticate, your app will be given an access_token and a refresh_token. Refresh tokens are used to get a new access token when your current access token expires. In other words, compromised credentials can be shutdown much faster when refresh tokens are in use. And, the old Refresh Token is no longer valid. account_info()["display_name"] Note that the generated access token only works for your own Dropbox account. 0 helps to define the flow to get the access token by which protected resources can be accessed. 0 framework for ASP. POST /oauth/token HTTP/1. A refresh token allows an application to obtain a new access token without prompting the user. Using this gives us a client ID and secret that we can use in one of the two grant methods to receive a Access Token and Refresh Token. Hi I'd like to understand the exact parameters required to refresh an access token using the Xero Partner API. Combining OAuth and Chatbot functionality into one app will require you to implement two authorization flows for both OAuth and Chatbot tokens. revokeRefreshToken() : void. …In the core OAuth specification, RFC 6749,…there are two types of tokens specified,…access token and refresh token. More resources Refreshing Access Tokens (oauth. If you are new to OAuth2 or Box, please consider reviewing Box's authentication primer. 0 access and refresh tokens. 0 authorization code grant type, the client first gets the authorization code and then exchanges it to an access token and a refresh token by talking to the token endpoint of the OAuth 2. These keywords are configurable and used to specify permission level of the authenticated API client. So, after 24. 0 grants, this grant is suitable for machine-to-machine authentication where a specific user’s permission to access data is not required. Ask Question Asked 1 year, 9 months ago. The Refresh Token is a special token used to generate additional Access Tokens. Access token has defined validity period. 0 authorization server. Will this access token expiry time reduced in future for better security? Also i couldn't. To offer more security for our customers’ data and to eliminate the need for authentication every 90 days, we enabled new, short-lived Access Tokens and indefinite Refresh Tokens for our developers using OAuth. This is the flow you are following: Start processing steemit stream; Fetch users; Get refresh_token from user; Use refresh_token to get. When deciding which project to use, also consider other projects like OAuth, an OAuth 1 implementation that doesn't rely on you having https in your. At this point, if a refresh token was included when the original access token was issued, it can be used to request a fresh access token from the authorization server. Here is what my Auth0lock options are. OpenAM) to make the swap. When the grant_type is refresh_token ,we will expire or delete the old refresh_token which belongs to this client_id and store a new refresh_toekn to the sqlite database. Note: Refresh tokens are only provided when retrieving a token using the Authorization Code or User Credentials grant types. When you use the iOS, Android, or JavaScript SDK, the SDK will automatically refresh tokens if the person has used your app within the last 90 days. 0 token request. Access the management API with OAuth2. Similar to API keys, you may find OAuth access tokens all over the place: in query string, headers, and elsewhere. A refresh token can only be used once, as a new refresh token is returned with the new access token. Let's Talk Money! with Joseph Hogue, CFA 772,162 views. The token revocation process does not include applications built on Apps Script, even if the script accesses mail. When the token expires the user needs to refresh the token. Furthermore the token endpoint can be extended to support extension grant types. The client can submit a JWT (JSON Web Token) in a request to the token endpoint. In this case, applications need a way to get an access token for their own account, outside the context of any specific user. When this token expires in 1 hour, you will need it and the session handle to obtain a new access token. After adding an OAuth 2 profile to the request, you enter an access token, get a new token from the server, add settings for the profile, or define it is to handle access and refresh tokens. 0 refresh token flow. In this OAuth tutorial we learned how to store the Refresh Token in an AngularJS client application, how to refresh an expired Access Token and how to leverage the Zuul proxy for all of that. These clients are typically implemented in a browser using a scripting language such as JavaScript. 0, the Access Token and Refresh Token are returned in the same response during the token exchange. …The access token is what gives the client. 0 will serve as the authentication protocol for this scenario. 0 Bearer Token. The access token obtained will be consumed by a multitude of processes that require authentication back to Salesforce to access Force. 0 refresh token flow. Subscribe to this blog. NET Core Web API and Angular. When using OAuth 2. ADFS issues access tokens and refresh tokens in the JWT (JSON Web Token) format in response to successful authorization requests using the OAuth 2. Your service can then validate the client_id & client_secret, validate the refresh_token, expire this refresh_token and issue a brand new access_token & refresh_token pair to the client (Amazon). Similarly, oAuth Client are the the applications which want access of the credentials on behalf of owner and owner is the user which has account on oAuth providers such as facebook and twitter. Humm @catalinaoyler. Not all OAuth servers support refresh tokens. Also, just getting an access token doesn't mean the user's logged in. All of the code for this post is available at github. 0 framework for ASP. Configure assertion properties as shown below. In this article I will use a sample application to walk you through obtaining an OAuth 2. When the refresh request is granted, the response contains another access token/refresh token pair which will need to be stored for the next cycle. The request requires user authentication; the client ID is used as the user, and the client secret as the password. Allows a registered application to obtain an OAuth 2 Bearer Token, which can be used to make API requests on an application's own behalf, without a user context. The OAuth2 + OIDC Debugger is a general-purpose testing tool for the OAuth2 and OpenID…. refresh_token: A refresh token that can be used to acquire a new access token when the original expires To learn more about this flow: Resource Owner Password Credentials Grant in Azure AD OAuth Besides the access token, we received two additional tokens - Refresh Token and ID Token. Once you make the request you will get following result. However, it works only when a new token is generated, but not after it expires. The initial authentication process is via an OAuth 2. The information can also include some client state, if it was initially sent by the client. Access token has defined validity period. 0 refresh token flow. However, for some reason that token may have expired or was revoked by the OAuth server. To solve this problem, OAuth 2. Everything is working except that the user must reauthenticate every 8 hour. NET Core Web API. The authorization server may issue a new refresh token, in which case the client must discard the old refresh token and replace it with the new refresh token. The idea is then to mark a token as revoked in my database if I get a 400 response from /api/v1/access_token. In the previous example, we have discussed about spring boot OAuth 2 authentication server configuration but it was storing token in-memory. When the token expires the user needs to refresh the token. If an application uses an expired access token, a “Session expired or invalid” error is returned. 0 grants, this grant is suitable for machine-to-machine authentication where a specific user's permission to access data is not required. The refresh_token is used only in the grant type: refresh call to the token endpoint. Issuing a refresh token is optional and if the authorization server issues a refresh token, it is included when issuing an access token. It is free and also has support for commercial uses. 4 ) The simplest of all of the OAuth 2. Access tokens have a limited life span and when you receive one you'll also receive an Expiry Time for it and a Refresh Token. But reusing the same refresh token is a liability, because if it's intercepted it can be used to produce or get existing valid access tokens. Access and manage your data (api) Provide access to your data via the Web (web) Can any please help. Salesforce Refresh Token OAuth. HelloJS honors the OAuth2 refresh_token, and will also request a new access_token once it has expired. We will try to create the token as well as the refresh token after successful login, refresh token will be used to generate a new token if current token is already expired and it is not too late. Refreshing a Token when using Implicit Flow (Silent Refresh) To refresh your tokens when using implicit flow you can use a silent refresh. For anyone looking for an answer, you should have a refresh token OAuth2Authenticator, example : var authenticator = new OAuth2Authenticator( clientId, null, Constants. OAuth2 Client is a library to help you handle OAuth2 access and request tokens. println(" token revoked. To see the relevant list of CAS properties, please review this guide. We’ll be creating hybrid authentication flow to implement refresh token using grant types Resource Owner Password Credentials(ROPC) and Refresh Token. Once your access token expires it can no longer be used to access the API. oAuth and Refresh tokens When using the Auth Code Grant with a 3rd party oAuth provider for account linking, the provider would redirect back to the Amazon pitangui fixed URI with the access token, and I presume the refresh token. After an access token expires, using it to make a request from the API will result in an "Invalid Token Error". The client application can store the refresh token, using it to periodically obtain fresh access tokens, but should be careful to protect it against unauthorized access, since, like a password, it can be repeatedly used to gain access to the resource server. 0 is the industry-standard protocol for authorization. How do I get an OAuth2 refresh token for a python script? I'm currently trying to rewrite my bot to use OAuth2 because of the upcoming change. OAuth Refresh token has expired after 90 days We have encountered an issue on our live environment: The Multi Factor Authentication does not work anymore. As such, if your application loses the refresh token, the user will need to repeat the OAuth 2. The Oauth2 2-legged Token asset works in a similar way, except the authentication is all done on the server side and doesn't require the user to get redirected and authenticate on the front end. Getting AdWords API Tokens from the OAuth Playground. 0 helps to define the flow to get the access token by which protected resources can be accessed. token - request a one-time token that can be used immediately, but cannot be refreshed. …The access token is what gives the client. Once a new refresh token is returned, the older refresh token is invalidated immediately. 0 consent flow so that your application can obtain a new refresh token. Create your own grant type by implementing the OAuth2\GrantType\GrantTypeInterface and adding it to the OAuth2 Server object. 0 is not backwards compatible with OAuth 1. In short, if the refresh token is compromised, it is much easier to detect it and take appropriate action, such as disabling the auth tokens and refresh tokens, and forcing the user to login again with their credentials. So that i can make API calls. Store the returned refresh_token for the purpose of getting a new access_token after the access token expires. Refresh tokens are saved by us in the storage and during invoking renew token request it it get from there and the new token is generated. This method call will perform a synchronous HTTP request to the remote authorization server, executing the OAuth 2. Once you make the request you will get following result. Note that while access and refresh tokens may have their own lifetime and expiration policy, they are typically upper-bound to the length of the CAS single sign-on session. The authorization request should be used for 2 things (at least): to validate that the client id of the original access token is the same as the one requesting the refresh, and to narrow the scopes (if provided). The refresh token can be renewed within the 14 day period, and extended for up to 90 days. If the authorization server issues a refresh token, it is included when issuing an access token. After adding an OAuth 2 profile to the request, you enter an access token, get a new token from the server, add settings for the profile, or define it is to handle access and refresh tokens. When the token expires the user needs to refresh the token. OAS 3 This page applies to OpenAPI 3 – the latest version of the OpenAPI Specification. How automate the token refresh. OAuth2 is a protocol designed to let third-party applications authenticate to perform actions as a user, without getting the user's password. Access and manage your data (api) Provide access to your data via the Web (web) Can any please help. We will try to create the token as well as the refresh token after successful login, refresh token will be used to generate a new token if current token is already expired and it is not too late. 0 refresh token flow.  IdentityServer4 is an OpenID Connect and OAuth 2. 0 protocol uses a number of actors to achieve the main tasks of getting an access token and using an access token. – Access Token – Refresh Token. • Access Token:OAuth token used to directly access protected resources on behalf of a user or service. This is a knowledge article to help understand the root cause why the http connector does send payload when using http requester authenticated by oauth. 6/26/2019; 2 minutes to read; In this article. 0增加了一个refresh token的概念,这个token并不能用于请求api. In the response Square returns a new access token along with a refresh token. Viewed 748 times 1. After your access token expires, you'll use the refresh token that was provided when your access token was initially granted to request a new access token. 0, the Access Token and Refresh Token are returned in the same response during the token exchange, this is called an Access Token Response. This process starts with Getting the user's consent. stackexchange, I just realized that refresh token are not mandatorily exchanged for a new one, that's just my framework current implementation and settings. If you have a refresh token, you can use it to get a new access token. I´m trying to implement a mobile app using oauth in ADFS 3. POST https://api. aspx can be utilized to get an Access Token from a refresh token instead of the User having to re-authenticate. The refresh token enables your application to obtain a new access token if the one that you have expires. I’m about to embark on a project that requires multiple oauth connections, integrating with various other services. Introduction The OAuth 2. All of the code for this post is available at github. The refresh_token is used only in the grant type: refresh call to the token endpoint. Embedded Google OAuth Refresh Token This information is intended for developers of apps that have embedded the Google OAuth refresh token of a hardcoded user in their app. For example, a call to the tickets endpoint that would normally look like this:. salesforce help; salesforce training; salesforce support. OAuth Token Details. I’m not asking about that, i’m asking about OAuth access token expiry. See how you can get the basics working in less than 5 minutes! This project is focused in simplicity of use and flexibility. For more details on OAuth 2. I know this is determined by the SsoLifetime in ADFS which defines the Oauth refresh token life time. How to obtain an OAuth 2. NET and OAuth together to create an API that is highly secure and well-built. xml in the LotusConnections-config directory.  I won’t be explaining all protocols here. Subsequent authorizations, such as the kind you make while testing an OAuth2 integration, will not return the refresh_token again. The OAuth 2. Introduction. Im my opinion, the two-token system is a very convoluted solution that feels like it was trying to address architecture optimizations and not to make security easy. Access tokens have a limited lifetime specified by the session timeout in Salesforce. Authenticate using OAuth to obtain a valid access token while not storing any credentials (username, password and security token) within ICRT. What really makes me sad is the complete lack of information provided by Streamsets regarding the intended behavior if a refresh should happen. Refresh token is one. But everytime I do, I get the exact same (access and refresh) tokens back, and the expiration of the access token hasn't moved a bit. 0 protocol uses a number of actors to achieve the main tasks of getting an access token and using an access token. 9k points) I am trying to refresh the access token using the refresh. NET as your web platform and are looking to expand it to another platform such as mobile applications, and need to authenticate users from that external application, one of the best ways of going about it is through the use of OAuth Bearer Tokens. We will try to create the token as well as the refresh token after successful login, refresh token will be used to generate a new token if current token is already expired and it is not too late. The OpenID is a great way when Office 365 authentication is needed within a web application. For more details on OAuth 2. Issuing a refresh token is optional and if the authorization server issues a refresh token, it is included when issuing an access token. A hardcoded refresh token can be extracted from your application and exchanged for an access token by anyone analyzing your application, which may impact the security of your. Refreshing Access Tokens. How do I get an OAuth2 refresh token for a python script? I'm currently trying to rewrite my bot to use OAuth2 because of the upcoming change. Applications must use refresh tokens to generate new access tokens. That means you need to introduce client authentication (or at least identification). So, after 24. Once you make the request you will get following result. You will get back an access_token which is treated as an OAuth 2. The access token and secret will be used to sign API calls. Looks like their implementation of refresh token flow does not return new refresh token with every refresh of an access token. The user now sees the form with “Get resource” button again. But reusing the same refresh token is a liability, because if it's intercepted it can be used to produce or get existing valid access tokens. 0 as authentication work strangely and when acquiring an AccessToken they keep changing RefreshToken with each request. We'll be creating hybrid authentication flow to implement refresh token using grant types Resource Owner Password Credentials(ROPC) and Refresh Token. For more details on OAuth 2. OAuth2 is a protocol designed to let third-party applications authenticate to perform actions as a user, without getting the user's password. Hi sushilchaurasia, I suggest you check the code in the r efresh Token Generator function. A refresh token is good for 24 hours. To get a refresh token, you must mint a new User access token. For more detailed information about using this service, go to. Issuing a refresh token is optional and if the authorization server issues a refresh token, it is included when issuing an access token. refresh-token Helper function to get always an oauth 2 valid token given a refresh token. The provider will mention whether they allow token refresh in their API documentation and if you see a “refresh_token” in your token response you are. Access token: It contains all the information the server needs to know if the user / device can access the resource you are requesting or not. Bulletproof Requests. As such, if your application loses the refresh token, the user will need to repeat the OAuth 2. If an application uses an expired access token, a “Session expired or invalid” error is returned. The refresh token request typically takes the refresh token and returns a new access token as a response along with operational attributes like the type of token, its expiry and another refresh token. js has several authentication strategies that handle OAuth2 authentication, but refreshing access tokens is something that you still need to do yourself manually (e. 4 ) The simplest of all of the OAuth 2. Das Refresh Token wird wie das Access Token nach der Autorisierung durch den Resource Owner vom Authorization Server an den Client gesendet. With OAuth, your app can request a set of tokens for a certain user with a specific set of permissions. The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it. HelloJS honors the OAuth2 refresh_token, and will also request a new access_token once it has expired. Furthermore the token endpoint can be extended to support extension grant types. NET API, talking about how to approach this API from third party applications, and also how to consume this API. After the client consumer has been authorized for access, they can use a refresh token to get a new access token (session ID). New OAuth2 access tokens have expirations. Under the OAuth 2. I am trying to retrieve an access token for my application which only requires an Application Only OAuth since it does not require the user to insert their credentials. Without a defined standard for tokens, when developers integrate with multiple document management services they must keep in mind various expiration intervals to maintain access across the board. 0 Tutorial PDF Version Quick Guide Resources Job Search Discussion OAuth2. 0 will serve as the authentication protocol for this scenario. Instead of passing the refresh token, this call just needs the current access token (in the “Authorization” header). The user must login again. Secure, scalable, and highly available authentication and user management for any app. A refresh token allows your application to obtain new access tokens. Set scope to the same URL-encoded list of scopes that you used in the original consent request. In this article I will use a sample application to walk you through obtaining an OAuth 2. However, the refresh_token is bound to a user. Also, just getting an access token doesn't mean the user's logged in. The OAuth solution to this problem is a two-token approach, where a short-lived access token with a longer-lived refresh token is used to get more access tokens. …In the core OAuth specification, RFC 6749,…there are two types of tokens specified,…access token and refresh token. There is one piece of information you get at least the first time the user accesses your app. Refresh token grant. In the previous steps, we persisted our refresh_token either to a file or a database. A refresh token is returned with the access token when exchanging an authorization code as part of the two-step and three-step OAuth processes, and it can be used as long as the access token remains active. To refresh your tokens when using implicit flow you can use a silent refresh. RTs are issued alongside an access token (AT). In order to use OAuth with Jive, we have to register a client with Jive by creating and installing an add-on. The instance can use an existing refresh token to create a new access token.