So, by now we know that if I'm, say, in love with the show Doctor Who and want to download an episode, I can go to a website that sells episodes for $9.99 (we'll call it Tunes Partner). I'll pay for the episode by giving Tunes Partner an access token, allowing it to charge my bank $9.99. Then I can download Doctor Who off Tunes Partner, which will have charged my bank even though it never saw my password.
But what if I'm chronically addicted to Doctor Who and I just want to download each new episode released every week? I don't want to have to be prompted every week: "Are you sure you want Tunes Partner to charge you $9.99?" That's annoying - it's bad user experience. I've already authorized Tunes Partner to charge me. Has Tunes Partner even seen Doctor Who? It's excellent. I want Tunes Partner to charge my bank every week. Just give me my Doctor Who!
But I don't want to give Tunes Partner an access token that never expires - then they could charge me $10 every day. Or, they could get hacked and someone could empty my bank account. So access tokens are one time use only. But then, what does Tunes Partner do next month when they want to charge me again?
Here's how it works.
We give them something called a refresh token. Every month, Tunes Partner can trade that refresh token for a new access token, in effect saying, "I have a refresh token proving you already said I can charge you $9.99 every month. It's the first of the month, so please give me a new access token."
We give Tunes Partner a new access token for its old refresh token. Tunes Partner can use that new access token to charge me $9.99 and I can get more Doctor Who. Everybody's happy. We also give Tunes Partner a new refresh token, so that next month, it can again get a new access token to charge me $9.99 - and a new refresh token, so the cycle can continue and I never run out of Doctor Who, but never have to be reprompted to authorize the transaction.
And when I don't want any more Doctor Who (ha! yeah right!) I can just take Tunes Partner's refresh token away.
Susi Remondi is a Technical Content Creator and Instructor at Ping Identity.