如果你在谈论OAuth 2.0然后你可以请求刷新令牌并访问（使用OAuth 2.0提供程序进行身份验证时，令牌或承载）令牌。刷新令牌应该直接返回到托管Web应用程序的服务器，以某种方式存储（可能是会话状态），而不是暴露给浏览器。浏览器可以使用访问令牌向需要它的安全服务/端点发出请求，但它的生命周期应该很短（无论是否有页面刷新）。当它到期时（再次可能或可能不是由于页面刷新），客户端应用程序可以向托管服务器发出刷新令牌的请求。然后，服务器可以使用刷新令牌获取新的访问令牌而无需用户再次登录。

If you're talking OAuth 2.0 then you can probably request both a refresh token and access (or Bearer) token when you authenticate with the OAuth 2.0 provider. The refresh token should be returned directly to the server hosting the web application, stored somehow (perhaps session state) and NOT ever exposed to the browser. The browser can use the access token to make requests to secured services/endpoints which require it but it should have a short lifetime (regardless of whether or not there was a page refresh). When it expires (again may or may not be due to a page refresh) the client application can make a request to the hosting server where the refresh token was delivered. The server can then use the refresh token to get a new access token WITHOUT the user needing to login again.

刷新令牌部分。

OAuth 2.0的使用方式有多种变化，细节可能因您的特定方案和实施而异，但希望能让您高度了解如何避免在访问令牌过期时提示用户重新进行身份验证或在页面重新加载。

There are several variations of how OAuth 2.0 can be used and details may vary with your particular scenario and implementation but hopefully that gives you a high-level idea of how you can avoid prompting the user to re-authenticate when the access token expires or on page reload.