Page Comparison

Refresh tokens (RT) are used to obtain new access tokens (AT) from the Authentication Server (AS). Refresh tokens are long-lived while access tokens are short-lived. This allows for long-lived sessions that can be terminated if necessary. The typical flow is:

...

1. The user logs in and gets back an AT and

...

1. an RT

2. The application detects that the AT is expired or that a different AT is required

3. The application uses the RT to obtain a new AT and a new RT that replaces the old RT

4. Repeat 2 and 3 until the RT or the session expires

5. After the RT or the session expires, the user must authenticate again

By default RT’s expire after 30 minutes of inactivity, while the session can be kept alive for 10 hours by exchanging tokens at least every 30 minutes, thereby getting a new RT.

It is highly recommended that the application always uses the RT from the latest exchange, as this will be valid for the longest. The validity of old RT’s RTs can not be guarantiedguaranteed, as the AS, at some point in the future, may be configured to revoke RT’s RTs after a certain number of uses.

...

Offline access is a feature described in OpenID Connect specification . The idea is that during login, your client application will request an Offline token instead of a classic Refresh token. The application can save this offline token in a database or on a disk.

The difference between a classic Refresh token and an Offline token is, that an offline token will never expire by default. The offline token is valid even after a user logout 's active session expires or a server restartrestarts. However, by default, the offline token expires after 30 days if not used.

...

The client can request an offline token by adding the parameter scope=offline_access when sending an authorization request to the AS.

...

It is only recommended to use offline access if you intend to store the Offline token for later use. Else Otherwise unused offline tokens will pile up on the AS.

...