get access token with access token?

Question

From what I understand so far about access token is that in Code flow, Client could get access token with either authorization code or refresh token.

But.. can it get new access token with access token it holds before the token's expired?

I read RFC6749 (1.1 ~ 1.4, 4.1, 4.2, 5 sections only for the sake of time) and I couldn't find such that

"access token must get issued by only explicit resource owner's grant or refresh token"

So I've been thinking..

How about issuing access token with access token.

What's wrong with this?

I'm almost noob to OAuth and learned it with only inte.net so I might totally misunderstand something D:

please enlighten me.. thanks!

Answer 1

You cant use an access token to get a new access token. Access tokens are self contained bearer tokens which grant you access to some data. (denoted by scope) For security reasons access tokens have a limited life time. Once it has expired you can not longer use it.

Consider if someone with a malicious intent got a hold of your access token. They can then use this to access the data, but only for a limited amount of time. Once the access token expired they would no longer be able to access that data.

refreshing access

The first step of the auth process gives you an authorization code, this is a one time code extremely short lived probably five minutes and can only be used once. When you exchange this you will get an access token and a refresh token if you requested offline access.

Refresh tokens can be used to get a new access token. You can use it to get access at a later date without requesting access of the user again. To get a new access token though you need to have the client and i and client secret that were used to create the access token in the first place, and in some cases you need to have access to the server that the redirect uri is residing. This way if the same a malicious person got access to their refresh token they cant use it to get a new access token unless they have your, client id, client secrete and server access.

You may find this interesting Understanding oauth2 with curl

Answer 2

TLDR

To be able to revoke access. Refresh token is used for that.

Here is my understanding. Access token are not retained by the auth server that issued them. They are very large in size and there may be a great number of them in a general case, one per scope or a set of scopes. Refresh tokens are short opaque strings and are retained by the auth server. They can be invalidated by the auth server to revoke authentication if a user's system has been found compromised. If an attacker obtained access/refresh token and used them from a different IP, for example. In this case the auth server will set a flag against the retained refresh token and will not refresh an access token without re-authentication.