What's the difference between `oauth2-token-exchange`, `oauth2-access-token` and `oauth2-refresh-token`

Hello :wave:

I’m looking at the authentication protocol object from the post-login action and I’m wondering what is the difference between those 3 values:

  • oauth2-refresh-token
  • oauth2-access-token
  • oauth2-token-exchange

It is documented here Actions Triggers: post-login - Event Object but I’m not sure what is the real difference:

  • oauth2-access-token Refreshing a token using the refresh token exchange.
  • oauth2-refresh-token Refreshing a token using the refresh token exchange.
  • oauth2-token-exchange

I’m filtering the oauth2-refresh-token protocol to not trigger MFA in this action when refreshing the access token but I’m wondering if I should also use oauth2-access-token as well?

Can you clarify what is the difference between them?

Thanks :pray:

Hi @Will956,

Thanks for posting your question on Community!

  • oauth2-refresh-token: Refers to refreshing a token using the refresh token exchange.
  • oauth2-access-token: Corresponds to the legacy POST /oauth/accesstoken request for an access token.
  • oauth2-token-exchange: Refers to exchanging a code for an access token.

If you need to prevent MFA from being triggered for the oauth2-refresh-token transaction, you could do something like the following:

exports.onExecutePostLogin = async (event, api) => {
  if (event.transaction.protocol !== “oauth2-refresh-token”){
 //else do not trigger MFA

Finally, one thing to note is that you will need to set your Require Multi-factor Auth to Never for this to work properly. This is because Actions will override the MFA setting being turned off.

Please let me know how this goes for you.


1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.