2

**Hi guys, I am researching about refresh/access token (oauth-2) with Single page application, in my case, there is one auth server and many resources servers but I don't understand :

"Do we need to use refresh token to get new access token and why?, if yes, should the client side store refresh token or only access token?"

**In my opinion:

_If we store refresh token in client side to get new access token, why we don't use access token to get new access token before it expires.

_If we store refresh token in auth server, so what is refresh token's purpose?

Please help me! Thanks everyone!

Community
  • 1
  • 1
dung nguyen tien
  • 21
  • 1
  • 1
  • Looks like it's been answered here https://stackoverflow.com/questions/53936416/oauth-client-credentials-reissue-access-token-vs-refresh-token – rocketer Jun 23 '20 at 08:17

1 Answers1

0

After a time and I found an answer by myself :))

With single page application we still need to store access token and refresh token in client. Why?

Because access token is used to exchange with many resource services. And we can't trust any resource service 100%, they can belonged to 3rd party services that adapt to our service in future. So I can say "access token can still be stolen in 3rd party service". But remember access token's lifetime is short (about 10-30 minutes), we must accept this case.

But refresh token is used to get new access token and it's lifetime is usually very long ( 1month, maybe event 1 year). If we lost it, the thief can do anything with our resources. Therefore, refresh token is only exchanged between client and authentication server. The authentication server never loses security data as refresh token, and the connection between client and authentication server can be trusted, because if we can't trust authentication server, all our information already already is lost from the beginning and we can't have any way to save that.

dung nguyen tien
  • 21
  • 1
  • 1