Salesforce Developer Security Auth Oauth Tokens

salesforce-developer-security

// Salesforce - Developer - Security - OAuth - Types of Tokens:

The different OAuth flows use different types of tokens defined by OAuth 2.0. 
Here is some basic information about these token types: 

1. Authorization code - An authorization code is a short-lived token created by 
   the authorization server and passed to the client application via the 
   browser. The client application sends the authorization code to the 
   authorization server to obtain an access token and, optionally, a refresh 
   token.

2. Access token - The access token is used by the client to make authenticated 
   requests on behalf of the end user. It has a longer lifetime than the 
   authorization code, typically on the order of minutes or hours. When the 
   access token expires, attempts to use it will fail, and a new access token 
   must be obtained.

3. Refresh token - The refresh token may have an indefinite lifetime, persisting 
   for an admin-configured interval or until explicitly revoked by the end-user. 
   The client application can store the refresh token, using it to periodically 
   obtain fresh access tokens, but should be careful to protect it against 
   unauthorized access, since, like a password, it can be repeatedly used to 
   gain access to the resource server.

4. ID token - OpenID Connect defines the ID token, a signed data structure that 
   contains authenticated user attributes including a unique identifier for the 
   end-user, the time at which the token was issued, and an identifier for the 
   client application that requested the token. The ID token is encoded as a 
   JSON Web Token (JWT).
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License