Why does Firebase Auth have both refresh tokens and ID tokens?

Question

This documentation states:

Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens.

Am I right to say that refresh tokens essentially act as both the password and identification for the client device simultaneously, and that having the refresh token means being able to retrieve an ID token, and thus being able to authenticate as the user associated with that refresh token?

If that is so, what is the purpose of having these two distinct tokens?

Thanks.

Answer 1

An ID token is a JWT that proves that the user has authenticated, but doesn't contain enough information to authenticate the user. It is a bearer token that has a built-in expiration time (in the case of Firebase, that is one hour after it was minted). It can be decoded easily (for example on jwt.io), making them really easy to work with. All of these make it much safer to pass this token type around as proof of authentication, and to use it in client-side applications.

The refresh token is a long-lived OAuth2 token and is somewhat of a proxy of the user's credentials. It can be used to generate ID tokens, but cannot itself be decoded by the recipient. It should only be used on servers, to determine the authorization of the user.

Also see:

• What is the difference between id_token and access_token in Auth0
• Demystifying Firebase Auth Tokens
• ID Token and Access Token: What's the Difference?
• AccessToken Vs ID Token Vs Refresh Token - What? Why?When?