javascriptnestjspassport.jspassport-google-oauthnestjs-passport

Understanding the Purpose of Access and Refresh Tokens in passport-google-oauth20 with NestJS


I'm using passport-google-oauth20 with NestJS and I don't understand why the validate method takes access and refresh tokens as arguments. I haven't seen any examples of how to use them. Everything seems to be working fine and the library seems to be doing all the work for me. So what are they for and how can I use them? And how to implement logic related to them ?


Solution

  • Everything seems to be working fine and the library seems to be doing all the work for me.

    For a basic approach, yeah, that's the case. That's how the passport integrations are generally written.

    What are access tokens used for?

    Just what it sounds like, access to the OAuth server. They are used when you want to get more data from the OAuth source than what the passport strategy has already gotten for you. This could be calendar data, games data, profile pictures, etc if the OAuth grants give you access to those APIs.

    What are refresh tokens used for?

    Well, it would be pretty silly for an OAuth provider to just hand out a token and say "No matter what, just come with that token and we'll give you some data" wouldn't it? Refresh tokens are for refreshing your access token when the access token expires. Now, refresh tokens expire as well, but usually have a much longer shelf life than access token, think weeks vs hours, but it also all depends on the OAuth provider.

    If you don't need more data, don't worry about them, you can safely ignore them, they'll live in memory and be gone before you know it. If you do need more data, take care and properly store them in a database to allow you to get them later.

    Also, I'd suggest you read up on OAuth flows, as they'll help make sense of what all these tokens do for you in more depth.