刷新令牌至少有两个用途。首先，刷新令牌是一种“证明”，证明OAuth2客户端已经从用户那里获得了访问其数据的权限，因此可以再次请求新的访问令牌，而不需要用户经历整个OAuth2流程。其次，与长时间的访问令牌相比，它有助于增加整个安全流。我将更详细地讨论这两点。

刷新令牌作为一种不惹恼用户的方法

Let's talk about the first purpose with an example. Suppose you, a User, were using a third party Client web application that wanted to interact with your YouTube account data. Once you grant permission to the Client application to use your YouTube data, would you want the Client app to prompt you for your permission again when its YouTube token expired? What happens if the YouTube token expiry time was something very low, like 5 minutes. It would get a little annoying having the Client application prompt you for your permission at least every 5 minutes! The solution that OAuth2 proposes to this 'problem' is refresh tokens. By using refresh tokens, the access token can remain short-lived (which is desirable in case the access token is leaked or stolen somehow), and the refresh token can remain long(er)-lived, allowing the Client to get a new access token when one expires without requiring the user's permission (again).

But why a refresh token? If the point is to not bug the User with permission requests, then why can't the Client simply say "Hey, Authorization Server, I want another access token. Now!"? Or, "Hey Authorization Server, here is my expired token, give me a new one!". Well, the refresh token serves as a kind of "proof" that the Client at some original point in time was granted access by a User. This "proof" is in the form of the refresh token being digitally signed by the Authorization Server. By the Client presenting a refresh token, the Authorization Server can verify that the Client received, at some point in the past, permission from the User, and the Client does not have to prompt the User again.

刷新令牌作为提高安全性的一种手段

然而，这就提出了一个问题，“如果刷新令牌被泄露或被盗，或者只是被恶意客户端应用程序保留，而不应用户的请求删除它，会发生什么呢?”攻击者不能继续使用刷新令牌无限期地获得有效的访问令牌(或直到它过期)吗?这个问题导致讨论我提到的第二个目的，即刷新令牌有助于更安全的流程。

The issue that arises with access tokens is that, once acquired, they only ever get presented to the Resource Server (YouTube for example). So if an access token is stolen or compromised, how do you tell the Resource Server not to trust that token? Well, you can't really. The only way to do it would be to change the private signing key on the Authorization Server (the key that signed the token in the first place). I imagine this is inconvenient to do, and in some cases (like Auth0), is not supported.

另一方面，刷新令牌需要频繁地呈现给授权服务器，因此如果其中一个令牌被泄露，那么撤销或拒绝整个刷新令牌是很简单的，而不必更改任何签名密钥。

访问令牌生命周期短。一旦它过期，您需要一个新的访问令牌来访问受保护的资源。一种获取新访问令牌的方法是再次验证资源所有者并获得授权，然后获取访问令牌。然而，这很烦人。

这个问题可以用刷新令牌来解决。它的寿命很长。因此，您可以使用它来获得新的访问令牌，而无需与资源所有者交互。

好吧，你可能会想，用长寿命的代币来获得另一个短寿命的钥匙有什么意义呢?好吧，即使刷新令牌被破坏，攻击者也不能从中获取访问令牌。原因是攻击者需要客户端凭据以及刷新令牌。

因此，访问令牌的生命周期将很短(原因可以在其他答案中找到)，以提高安全性。为了避免资源所有者在访问令牌过期时感到厌烦，OAuth使用刷新令牌。

下面是OAuth 2.0文档中的信息。

刷新令牌用于在当前访问令牌失效或过期时获取新的访问令牌，或获取具有相同或更窄范围的其他访问令牌(访问令牌的生命周期可能比资源所有者授权的权限更短)。

  +--------+                                           +---------------+
  |        |--(A)------- Authorization Grant --------->|               |
  |        |                                           |               |
  |        |<-(B)----------- Access Token -------------|               |
  |        |               & Refresh Token             |               |
  |        |                                           |               |
  |        |                            +----------+   |               |
  |        |--(C)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(D)- Protected Resource --| Resource |   | Authorization |
  | Client |                            |  Server  |   |     Server    |
  |        |--(E)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(F)- Invalid Token Error -|          |   |               |
  |        |                            +----------+   |               |
  |        |                                           |               |
  |        |--(G)----------- Refresh Token ----------->|               |
  |        |                                           |               |
  |        |<-(H)----------- Access Token -------------|               |
  +--------+           & Optional Refresh Token        +---------------+

(A)客户端通过认证请求访问令牌 授权服务器和呈现授权授予。

(B)授权服务器对客户端进行身份验证和验证 授权授予，如果有效，则发出访问令牌 和一个刷新令牌。

(C)客户端向资源发出受保护资源请求 通过显示访问令牌来访问服务器。

(D)资源服务器验证访问令牌，如果有效， 为请求服务。

(E)步骤(C)和(D)重复直到访问令牌过期。如果 客户端知道访问令牌过期，则跳过步骤(G); 否则，它将发出另一个受保护资源请求。

(F)由于访问令牌无效，资源服务器返回 无效的令牌错误。

(G)客户端通过验证请求一个新的访问令牌 授权服务器和显示刷新令牌。的 客户端身份验证需求取决于客户端类型 以及授权服务器策略。

(H)授权服务器对客户端进行身份验证和验证 刷新令牌，如果有效，发出一个新的访问令牌(并且， 可选的，一个新的刷新令牌)。

基本上，刷新令牌用于获取新的访问令牌。

为了清楚地区分这两个令牌并避免混淆，以下是OAuth 2.0授权框架中给出的它们的功能:

Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server. Refresh Tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope.

现在，为了回答你的问题，为什么你仍然被发出一个刷新令牌，而不仅仅是保护一个访问令牌，互联网工程任务组在刷新令牌中提供的主要原因是:

出于安全原因，refresh_token只与授权服务器交换，而access_token则与资源服务器交换。这降低了在“一个访问令牌可以持续一小时，有一个刷新令牌可以持续一年或直到被撤销”和“一个访问令牌可以持续到被撤销而没有刷新令牌”之间存在的长期access_token泄漏的风险。

有关OAuth 2.0流程的更详细和完整的信息，请尝试阅读以下参考资料:

OAuth 2.0流程:服务器端web应用程序 IETF (Internet Engineering Task Force)发布的OAuth 2.0授权框架 为什么OAuth v2同时拥有访问和刷新令牌?

这是一次很好的学习经历，了解了令牌、刷新令牌和缓存它。然而，(我很好奇，我在这里不给出任何建议)我们可以使用用户登录后返回的代码，当使用微软身份平台时。我们是否可以只存储CodeIdToken，并在需要时使用它来获取新的访问令牌?因为我在想，我们用它来获得访问令牌，那么我们应该每次都用来重新生成访问令牌吗?

 ...
 ResponseType = OpenIdConnectResponseType.CodeIdToken,
...

and

private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
    {
        IConfidentialClientApplication clientApp = MsalAppBuilder.BuildConfidentialClientApplication();
        AuthenticationResult result = await clientApp.AcquireTokenByAuthorizationCode(new[] { "User.Read" }, context.Code)
          .ExecuteAsync();
    }
    

刷新令牌至少有两个用途。首先，刷新令牌是一种“证明”，证明OAuth2客户端已经从用户那里获得了访问其数据的权限，因此可以再次请求新的访问令牌，而不需要用户经历整个OAuth2流程。其次，与长时间的访问令牌相比，它有助于增加整个安全流。我将更详细地讨论这两点。

刷新令牌作为一种不惹恼用户的方法

Let's talk about the first purpose with an example. Suppose you, a User, were using a third party Client web application that wanted to interact with your YouTube account data. Once you grant permission to the Client application to use your YouTube data, would you want the Client app to prompt you for your permission again when its YouTube token expired? What happens if the YouTube token expiry time was something very low, like 5 minutes. It would get a little annoying having the Client application prompt you for your permission at least every 5 minutes! The solution that OAuth2 proposes to this 'problem' is refresh tokens. By using refresh tokens, the access token can remain short-lived (which is desirable in case the access token is leaked or stolen somehow), and the refresh token can remain long(er)-lived, allowing the Client to get a new access token when one expires without requiring the user's permission (again).

But why a refresh token? If the point is to not bug the User with permission requests, then why can't the Client simply say "Hey, Authorization Server, I want another access token. Now!"? Or, "Hey Authorization Server, here is my expired token, give me a new one!". Well, the refresh token serves as a kind of "proof" that the Client at some original point in time was granted access by a User. This "proof" is in the form of the refresh token being digitally signed by the Authorization Server. By the Client presenting a refresh token, the Authorization Server can verify that the Client received, at some point in the past, permission from the User, and the Client does not have to prompt the User again.

刷新令牌作为提高安全性的一种手段

然而，这就提出了一个问题，“如果刷新令牌被泄露或被盗，或者只是被恶意客户端应用程序保留，而不应用户的请求删除它，会发生什么呢?”攻击者不能继续使用刷新令牌无限期地获得有效的访问令牌(或直到它过期)吗?这个问题导致讨论我提到的第二个目的，即刷新令牌有助于更安全的流程。

The issue that arises with access tokens is that, once acquired, they only ever get presented to the Resource Server (YouTube for example). So if an access token is stolen or compromised, how do you tell the Resource Server not to trust that token? Well, you can't really. The only way to do it would be to change the private signing key on the Authorization Server (the key that signed the token in the first place). I imagine this is inconvenient to do, and in some cases (like Auth0), is not supported.

另一方面，刷新令牌需要频繁地呈现给授权服务器，因此如果其中一个令牌被泄露，那么撤销或拒绝整个刷新令牌是很简单的，而不必更改任何签名密钥。