This is very much implementation specific, but the general idea is to allow providers to issue short term access tokens with long term refresh tokens. Why?
- Many providers support bearer tokens which are very weak security-wise. By making them short-lived and requiring refresh, they limit the time an attacker can abuse a stolen token.
- Large scale deployment don’t want to perform a database lookup every API call, so instead they issue self-encoded access token which can be verified by decryption. However, this also means there is no way to revoke these tokens so they are issued for a short time and must be refreshed.
- The refresh token requires client authentication which makes it stronger. Unlike the above access tokens, it is usually implemented with a database lookup.