14 Sep 2023

Independent three legged tokens on Authentication API V2

Default blog image

We already covered use cases and workflows for refresh tokens in the two blogs below

1 - about refresh token

2 - more about refresh token

If you haven't done so yet, I encourage you to go through them in order to get more familiar with refresh token.

In this blog, we'll cover one update about it that became valid with the introduction of V2 of Authentication API.

Let's say that one user went through three-legged flow and now your app has access to the pair token 1 and refresh token 1, which you store and use to perform some tasks.

Now, let's assume the same user went through the same process once more and now your app also has access to the pair token 2 and refresh token 2, just like in the image below:

two tokens

The update is that, in this case, using V2 API both of these pairs will be valid and independent.

*The same doesn't apply to V1

This means that, by using refresh token 1 you'll get a new pair (token 3 and refresh token 3), making only refresh token 1 invalid:

  • token 1 is independent (it only becomes invalid after the expiration time of one hour)

This is also valid if you use refresh token 2. You'll get a new pair (token 4 and refresh token 4), making only refresh token 2 invalid:

  • token 2 is also independent (it only becomes invalid after the expiration time of one hour)

It's just like in the image below:

refreshing tokens

In conclusion, even if a user logs in multiple times and generates multiple pairs of access and refresh tokens, each pair is independent and can be verified by the server. This way, user data is kept secure, and unauthorized access is prevented.

Related Article