I can't find any reason why to use refresh_token. when we can make access_token longed lived...
Why do we have both?
Asked
Active
Viewed 4,380 times
5
Nisar
- 5,708
- 17
- 68
- 83
1 Answers
8
As you have JWT as a tag on your question I will assume you are referring to Json Web Tokens
The following was referenced from
Refresh Tokens: When to Use Them and How They Interact with JWTs
Access tokens carry the necessary information to access a resource directly. In other words, when a client passes an access token to a server managing a resource, that server can use the information contained in the token to decide whether the client is authorized or not. Access tokens usually have an expiration date and are short-lived.
Refresh tokens carry the information necessary to get a new access token. In other words, whenever an access token is required to access a specific resource, a client may use a refresh token to get a new access token issued by the authentication server. Common use cases include getting new access tokens after old ones have expired, or getting access to a new resource for the first time. Refresh tokens can also expire but are rather long-lived. Refresh tokens are usually subject to strict storage requirements to ensure they are not leaked. They can also be blacklisted by the authorization server.
This second reference is also an interesting read re the short-lived access token and long-lived refresh token. Why Does OAuth v2 Have Both Access and Refresh Tokens?
revocation: if the access token is self contained, authorization can be revoked by not issuing new access tokens. A resource does not need to query the authorization server to see if the access token is valid.This simplifies access token validation and makes it easier to scale and support multiple authorization servers. There is a window of time when an access token is valid, but authorization is revoked.
Hope this helps.
