How do I handle OAuth refresh token?

Question

When I authorize on my OAuth server it returns me access / refresh tokens:

access_token: "ZjJlMGM2MDcxNDg5MDQ1NzA4ZjkyNzRiOTIwM2E5MWI4N2M0MWU0ZD..."
expires_in: 3600
refresh_token: "NWZjMzQ3YjNjMmY5YTEzYzMxMDYzNGVhNzRiNjAxZTdmZTdjNzE3z..."
scope: null
token_type: "bearer"

How do I use them in my client side javascript application?

1. Is it okay to save access token and refresh token in the cookies? (is it safe? - but anyway I dont see any other place where I can store them...)
2. I can request protected resources like this: /api/user?access_token=TOKEN . And when I access them I really get my protected data successful. But what will happen when this access token expired? Will it be automatically refreshed, or do I need to handle it manually?
3. Why do I need refresh token and when I should send it to the server?

Answer 1

three-legged ( User---client ---- Oauthserver)

1)In 3 legged authentication access Token is stored at the client side and is never transferred to the user.

two legged (user ----Oauthserver)

In 2 legged authentication the token is stored at the user side. Probably in the cookie.

2)When the token expires user explicitly has to use the refresh token to get a new auth token.

3) Each Auth token has an expiry and instead of reauthenticating itself with a username/password,User can present refresh Token to get a new valid Auth token.