3

Oauth2 introduces the idea of having expiring access token and non-expiring (or long term) refresh tokens used to get access to a new access token.

This additional security layer has a cost (backend as well as frontend). Is the benefit of this measure overweighting the costs ?

Well this sounds like a nice process if you are planning to deploy your API over http, but is it still useful when you use SSL (TLS) ?

All my researches about this question over the internet pointed somehow to "if an attacker steals your non-expiring access token...", but wait, no, nobody won't be able to middle-manize my token because it's over HTTPS.

So do we trust HTTPS and all of this is overkill dogma, or is there any other reason to worry that my user's token may be stolen ?

lapin
  • 2,098
  • 2
  • 21
  • 30

1 Answers1

1

It is not so much about mitigation of token loss but more about being able to apply access policies when a new token is requested in a central location.

Remember, the refresh token is only ever used against the Authorization Server to get a new access token, at which point the Authorization Server can apply those centralized policies, whereas the access token is used against the Resource Server that holds the protected resources.

See: what's the point of refresh token?

Community
  • 1
  • 1
Hans Z.
  • 50,496
  • 12
  • 102
  • 115