What are Access and refresh tokens in Artifactory ?

Nimer Bsoul
2019-09-10 08:47


Access tokens are an alternative means of authentication and can be used instead of basic authentication (i.e. user and password). Using access tokens opens up a whole range of capabilities.

Affected Versions

All Artifactory versions that support Access Tokens.


Access Tokens
Access tokens are in a way like a hotel electronic key.
It is immutable, which means, that once it has been created it can’t be changed, and once it has been expired or has been revoked it can’t be “re-used”.
On the access token itself, we can set various claims like:

  • What can be accessed with the token (scope)
  • How long will the token be valid (expires-by)
  • Which servers will accept the token (audience)
  • And more

This gives you fine-grain control over access to your system.
It is highly recommended to set the token claims to permit the very minimum access required by the client that’s using it.

Refresh Tokens
A Refresh Token is a special kind of token that can be used to obtain a renewed access tokens. You can use a refresh token to request a new access token until the refresh token is invalid (expired/revoked etc.).
Note: When you use a refresh token, you do not extend your original access token, but get a brand new access token. This new access token can have it’s own new refresh token as well.
Refresh tokens must be stored securely by an application because they essentially allow a user to remain authenticated forever.

There are two exceptions to the above:

1. If the access token is given the scope “member-of-groups:*” for example, then the permissions are evaluated when the token is used.
This means that after the token has been created, the user’s permissions might change and therefore it would affect the token’s permissions.
2. When there is a refresh token, it does not necessarily have to keep the “old” token permissions.

The "refresh token" REST api will accept new claims but will, therefore, create a new string of a token with the refresh token used and as a result, the old created token will be irrelevant and cannot be reused.
In case the refresh token is missing or has been lost, it won’t be able to generate new token with the desired permissions, but it has to be created again from scratch and would not be possible to modify or change the existing access tokens without the refresh token which is the same behavior and purpose of the JWT industry standards.