I know the difference in concept and purpose, but what happen at syntax level?
Let's suppose a login endpoint with basic tokens response:
http://acme.com/login
{
"access_token": "AYjcyMzY3ZDhiNmJkNTY",
"refresh_token": "RjY2NjM5NzA2OWJjuE7c",
"expires_in": 3600
}
Both tokens are been generated by security server using using its algorithms (secret and claims)
So when access_token expires, I need to renew it using some endpoint like
http://acme.com/oauth/token
Sending the refresh_token
At this point born my question
Assuming that these tokens have different string values and different expiration times, but they have been generated with the same secret, claims or algorithms
And I need to implement a refresh token generation and validation at security server backend.
How to differentiate access_token from refresh_token ?
Current Workaround
Add an extra claim (e.g type=refresh) just for refresh_token, so when I receive a token string in the security server and I decode it, this claim is useful to determinate if the received string is a refresh_token and not an access_token.