Session tokens best practises


I am confused regarding what the Refresh token and Authorization token’s purpose is.

Having experimented and read the docs the following appears to be the case:

  • Sessions can be restored as ‘offline’ using the auth token, but no connection is possible.
  • Restored sessions DO NOT have a valid refresh token and requires login
  • Sessions can be refreshed at which point they are Online which can be done with the refresh token alone which means Refresh token can generate Auth token.
  • Logout invalidates both Refresh and Auth token ?

Most guides that I have read reference saving the Auth token but on closer inspection it doesn’t make much sense as the Refresh token is clearly the one required as it allows us to generate a Auth token AND log in without saving credentials.

If I cannot log-in with Auth token alone then its not useful for me to save it and rather I save the Refresh token instead. Further the default config.yml hints that the Refresh token expire time should be greater than Auth expire time.

So I have to ask:
Does Refresh Token and Authorization Token have clear guidelines written anywhere or what their explicit purpose is?
As far as I deduce its roughly the case where:

Auth = Offline auth
Refresh = Online auth

but I am really not sure if thats the case.

Currently my auth flow is:

  1. Prompt user to log in
  2. Store refresh token, cache auth token for current session only
  3. Fetch account details

then later when they return:

  1. check for saved refresh token
  2. SessionRefreshAsync with the saved token and cache the resulting auth token for current session only
  3. Fetch account details

Works right now but I had to create a implementation of Nakama.ISession to force set the refresh token so I can feed it to SessionRefreshAsync, which hints that I might be misusing something.