Refresh token
-
Was reading the Modern Guide to OAuth and had a question.
Why are refresh tokens a good idea?
Isn't it more secure to just have a single access token; if it expires then we re-authenticate.
The refresh access token feels like a backdoor to get an access token.
-
the difference between a JWT/access token and a refresh token is that a refresh token can be revoked. Every time you present it to the Identity Provider/OAuth server, the OAuth server can check to see if the user has been banned, signed out or otherwise invalidated that token. (You can revoke a JWT, but it's a pain, typically.)
A refresh token is an engineering tradeoff. Without refresh tokens, you would have two unappetizing alternatives:
- an access token that lived for a long time. In this case, if the access token is stolen, the attacker has a lot of time to access systems (or you need to have some kind of access token revocation strategy, which degrades the value of stateless access tokens).
- requiring the user to sign in every time the token expires. That gets old if the lifetime of the access token is minutes or hours. I even get annoyed every time Google asks me to re-sign into gmail, which only happens every week or two.
The spec requires a client to explicitly request a refresh token. With FusionAuth you have to request the
offline_accessscope (which is common for other auth providers, but I wasn't able to find it in the RFC), so it's a way to offer more flexibility.