Short-lived tokens with Long-lived authorizations

16.5

OAuth 1.0 APIs typically issued extremely long-lasting access tokens. These tokens could last indefinitely, or on the order of a year. While convenient for developers, this proved limiting to some service providers in certain situations.

Responsible API providers should allow users to see which third-party apps they have authorized to use their account, and should be able to revoke apps if desired. If a user revokes an app, the API should stop accepting the access tokens issued to that app as soon as possible. Depending on how the API was implemented, this could be challenging or require additional ties between internal parts of the system.

With OAuth 2.0, the authorization server can issue a short-lived access token and a long-lived refresh token. This allows apps to obtain new access tokens without involving the user again, but also adds the ability for servers to revoke tokens easier. This feature was adopted from Yahoo!’s BBAuth protocol and later its OAuth 1.0 Session Extension.

See Refreshing Access Tokens for more information.