Most of APIs around the web provide two methods:
My question is: why is so widely preferred to do login and then a possible sequence of periodic refreshToken instead of simply login again when access token expires?
Which are the benefits of a refresh versus a full login?
After doing some more research, I find that it's to limit the space for a Man-In-The-Middle attack.
If someone intercept your user/password you have lost. And if you send it in plain at each call, the probability will increase that someone intercept them.
If you login and then for a while use access_token , a bad actor could intercept the access_token, but at least it willl use it until it will expire.
Again, instead of relogin, remote server will use the refresh_token to obtain a new access token.
the refresh token expire after first use so it's useless to intercept.
And so on.
So for server to server, the actually best practice is
login - receiving access_token and refresh_token
when access_token expire, use refresh_token to obtain a new access_token.
If both access_token and refresh_token expired, relogin with app_id/app_secret pair