OAuth - Frequently Asked Questions for Interviews and Self Evaluation

This page contains running notes. Not all questions will have complete answers and some may have no answers at all. Feel free to add your points as comments.

Why is refresh token needed when you have access token?

Access tokens are usually short-lived and refresh tokens are used to get new access tokens. If servers provide long living access tokens there is no way to make the client stop using the token if the user / session is invalidated for any reason. With refresh token, the server can validate the user / session every time an access token is generated using a refresh token.

This may lead to another question. Why use refresh token at all? Why don't you only use a small lived access token? Answer is that it allows you to keep logged in without having to authrnticate yourself explicitely with the OAuth provider providing your user credentials.

List various OAuth Grant Types

  1. Authorization code grant

    • Most common

  2. Implicit grant

    • Used mostly for mobile and single page web apps.

  3. Client credentials grant

    • Used mostly for system-to-system access.

What are the acess token and refresh token expiry times for popular OAuth providers?




We learn together, do innovations and then document them.

Offline Contact
We connect physically only in Bengaluru currently, but most of our activities happen online. Please follow us here or in social media for more details.
WhatsApp (Primary): (+91) 7411174113
WhatsApp (Secondary): (+91) 7411174114

Business newsletter

Complete the form below, and we'll send you an e-mail every now and again with all the latest news.

About Cloudericks

Team Cloudericks is a community to learn about and master cloud computing. Current learning focus is on AWS cloud.

We believe that knowledge is useless unless you share it; the more you share, the more you learn. Visit Cloudericks.

Recent comments

Photo Stream