#SpringSecurity: What is the difference between access and refresh token?

Access Token

• An access token is a string representing an authorization issued to the client. Tokens represent specific scopes and duration of access, granted by the resource owner, and enforced by the resource server and authorization server.
• An access token is put in the Authorization header of our request and it usually looks like ‘Bearer h090Yuuyuiyv’. It is verified by the APi, which the client is calling.
• Access token are usually in JWT format, but you can use any other format.
• Access tokens are usually short lived, because it is difficult (although not impossible) to centrally revoke access tokens.
• The responsibility of access token is to access data before it gets expired.

Refresh Token

• A refresh token is issued (along with access token) to the client by the authorization server.
• The responsibility of refresh token is to request for a new access token when the existing access token is expired.
• We can also obtain additional access tokens with identical or narrower scope from the refresh tokens.
• Issuing a refresh token is optional at the discretion of the authorization server.
• Refresh token is long lived token.
• Only clients that can safely secure refresh tokens, should use refresh tokens.

ID Token

• ID token is the user’s identity.
• Like access token it is also usually in JWT format, but doesn’t have to be.
• An ID token must not contain any authorization or any audience information, since it’s job is to merely identify the user.

-Himanshu Shukla..