refresh-token

问题 In my application, I return an access token and a refresh token when a user logs in successfully. The expiration times for access and refresh token have been set to 10 and 40 minutes respectively. (I should do some more research on those values. This is just for testing) I used the implementation described in following article http://www.svlada.com/jwt-token-authentication-with-spring-boot/ Let's say I invoke a request to the server after 10 minutes of the login in. Since the access token is

问题 Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token , which is used purely to create a new access_token : https://tools.ietf.org/html/rfc6749#section-4.2 Why have both? Why not just make the access_token last as long as the refresh_token and not have a refresh_token ? 回答1: The idea of refresh tokens is that if an access token is compromised, because