RefreshToken (oxAuth Server 4.4.0.sp1 API)

java.lang.Object
- org.gluu.oxauth.model.common.AbstractToken
- - org.gluu.oxauth.model.common.RefreshToken

All Implemented Interfaces:

java.io.Serializable, org.gluu.persist.model.base.Deletable
```
public class RefreshToken
extends AbstractToken
```
Authorization servers MAY issue refresh tokens to web application clients and native application clients.

Refresh tokens MUST be kept confidential in transit and storage, and shared only among the authorization server and the client to whom the refresh tokens were issued.

The authorization server MUST maintain the binding between a refresh token and the client to whom it was issued. The authorization server MUST verify the binding between the refresh token and client identity whenever the client identity can be authenticated. When client authentication is not possible, the authorization server SHOULD deploy other means to detect refresh token abuse.

For example, the authorization server could employ refresh token rotation in which a new refresh token is issued with every access token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token which will inform the authorization server of the breach.

The authorization server MUST ensure that refresh tokens cannot be generated, modified, or guessed to produce valid refresh tokens by unauthorized parties.

Author:

Javier Rojas Date: 09.29.2011

See Also:

Serialized Form

Constructor Summary

Constructors
Constructor	Description
`RefreshToken(int lifeTime)`	Constructs a refresh token.
`RefreshToken(java.lang.String code, java.util.Date creationDate, java.util.Date expirationDate)`

Method Summary
- Methods inherited from class org.gluu.oxauth.model.common.AbstractToken
  checkExpired, checkExpired, getAuthMode, getCode, getCreationDate, getExpirationDate, getExpiresIn, getHash, getSessionDn, getTtl, getX5ts256, isDeletable, isExpired, isRevoked, isValid, resetTtlFromExpirationDate, setAuthMode, setCode, setCreationDate, setDeletable, setExpirationDate, setExpired, setRevoked, setSessionDn, setX5ts256
- Methods inherited from class java.lang.Object
  clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - RefreshToken
```
public RefreshToken(int lifeTime)
```
    Constructs a refresh token.
    
    When created, a token is valid for a given lifetime, and after this period of time, it will be marked as expired automatically by a background process.
    
    When required, the token can be marked as revoked.
    
    Parameters:
    
    lifeTime - The life time of the token.
  - RefreshToken
```
public RefreshToken(java.lang.String code,
                    java.util.Date creationDate,
                    java.util.Date expirationDate)
```