Identity Lab 2 Exercise 3 - Working with Refresh Tokens

If you came to this page directly, go to the first page of this lab and read through the instructions before getting started.

Right now, if your users stay logged in for too long and try to refresh the / page, they will face a problem. Access tokens were conceived to be exchanged by different services through the network (which makes them more prone to leakage), so they should expire quickly. When an access token is expired, your API won't accept it anymore, and your web application won't be able to fetch the data needed. A token expired error will be returned instead. To change this behavior, you can make your web app take advantage of yet another token: the refresh token. A refresh token is used to obtain new access tokens and/or ID tokens from the authorization server. In this exercise, we're going to modify the application to obtain a refresh token and use it to get a new access token when it expires.

video placeholder

← All Identity Labs