As I understood,
You would make the lifespan for JWT Access Token short so that if someone has access to it, it would not work for long. However, we would not do the same with JWT Refresh Tokens to enhance the UX.
But now if someone has access over my JWT Refresh Token, that would grant them access to the protected resources. So how is it secure then?
As I am understanding your question
if someone has access to my JWT Refresh Token, that would grant them access to the protected resources. So how is it secure then?
To check is it secure or not what you can do is, validate the token check its claims, and cross-check is it the same person who is logged as in bypassing some variables such as user-id or user-email and user-password when you hit refresh-token function. If any condition fails you can then you can return Invalid-token or Unauthorized and kick him out.
and here is an explanation for the workflow for validating a refresh token and issuing a new bearer token?
The refresh token needs to be managed and handled in a secure way. Preferable, the refresh token should not end up in the browser. Also the refresh token is never send to the APIs.
So the refresh token is something that is only sent between the client and the authorization server (Not the browser or API's)
So, if you do everything properly, the refresh token never leaves the backend (not exposed to the browser), then it is pretty secure (unless your backend is hacked, but then you are game over anyway).
You can further strengthen it by securing the communication channel between the client backend application and the authorization server using certificates and other networking restrictions. So, if you follow the best practices, as outlined in OAuth 2.1, it is pretty safe and solid.
So, the conclusion is that as the refresh token is never used outside the client who originally received it, its pretty safe and as long the backend is not hacked, then its secure.
If you are building a SPA client (React...) then you should consider using the BFF pattern. As handling of tokens in the browser is never a good idea. Also see this video
