**Simon Frey** @l1am0 · 2018-04-13T16:00:48Z

Simon Frey @l1am0

What is the sense oft having 2 tokens with #oauth? I have one real one, with that I do my requests and a second "refresh" token for when the first one expires. Why does it need to expire at all?

Apr 13, 2018, 16:00 · Twidere for Android · 0 · 0

**abrain** @abrain · Apr 13, 2018, 21:09

**abrain** @abrain · Apr 13, 2018, 21:09

@l1am0 if it doesn’t expire, there’s not much difference to a password. But with tokens you limit the time someone can do nasty stuff, in case of a leak. And the refresh token also saves you from sending your real (and valid for a long time) password too often.

**Simon Frey** @l1am0 · Apr 14, 2018, 09:22

**Simon Frey** @l1am0 · Apr 14, 2018, 09:22

@abrain @l1am0 But also the refresh token can be leaked...so there is no win with it?

**abrain** @abrain · Apr 14, 2018, 20:22

**abrain** @abrain · Apr 14, 2018, 20:22

@l1am0 IIRC the refresh token only works once and you get a new refresh token with the new access token. So every time you renew your token you basically say "Hey, remember me? I've been here before and last time you geave me this *holds up refresh token*".

In some sense you build a trust chain back to the time you presented your real password once.

**Simon Frey** @l1am0 · Apr 14, 2018, 20:50

**Simon Frey** @l1am0 · Apr 14, 2018, 20:50

@abrain @l1am0 Thanks! Now I got it:)