Refresh Tokens

Updated March 13th 2017

OAuth2 and OpenID Connect have a feature called refresh tokens, the idea of which is that you can ask for another access token when your current token expires. This can be done without the user logging-in again and supports things like rolling authentication (the user can continue to re-log in as long as the last log in was, e.g. within the last 10 days).

The idea of these only relates to active resources - resources that change over time such as friends lists, wall posts, bookmarks etc. In these cases, if your token expires and you want this data to be updated, the resource server will not permit these resources to be obtained. A Refresh token would allow the site to renew access without the user logging in.

In the case of PixelPin, as a pure authentication server, there are no active resources. The data you obtain on first login (name, email address), for the most part, will not change. For this reason, PixelPin does not support refresh tokens.

This means, it is up to you the Client to decide when you want your users to re-authenticate and to do this via the normal OpenID Connect login process. You would set this up by adjusting the lifetime of your authentication cookie(s).