undefined | Better HN

0 points0x4573y ago0 comments

Very simple, actually. Access tokens are short-lived and are irrevocable - google services only check validity and expiration of those tokens.

Refresh tokens are more like session tokens/cookies - those get checked every time. At Google scale, checking it probably expensive, so they are using refresh tokens.

These aren't for end-user or development experience, those are for AS performance.

0 comments

2 comments · 1 top-level

paulddraper3y ago· 1 in thread

That just pushes the problem around, yes?

So now the client servers have store/check the lifetime of tokens rather than resource servers.

Does that actually improve OAuth as a whole?

0x457OP3y ago

Even without refresh tokens, clients need to check lifetime. If the token is opaque and the lifetime is unknown, it is no different from a session cookie.

> Does that actually improve OAuth as a whole?

Like I said, this is an improvement for whoever is validating tokens and only them. Refresh tokens are not hard to use, not sure what's the confusion here:

`token = token.is_expired ? refresh_token() : token`

That's all. Even in wordy rust, it doesn't take much:

https://docs.rs/yup-oauth2/6.5.1/src/yup_oauth2/authenticato...

Are you mad that, unlike with opaque token, you know ahead of time when it's expired for sure rather than when you got 401?

j / k navigate · click thread line to collapse