Refresh token

  • Was reading the Modern Guide to OAuth and had a question.

    Why are refresh tokens a good idea?

    Isn't it more secure to just have a single access token; if it expires then we re-authenticate.

    The refresh access token feels like a backdoor to get an access token.

  • the difference between a JWT/access token and a refresh token is that a refresh token can be revoked. Every time you present it to the Identity Provider/OAuth server, the OAuth server can check to see if the user has been banned, signed out or otherwise invalidated that token. (You can revoke a JWT, but it's a pain, typically.)

    A refresh token is an engineering tradeoff. Without refresh tokens, you would have two unappetizing alternatives:

    • an access token that lived for a long time. In this case, if the access token is stolen, the attacker has a lot of time to access systems (or you need to have some kind of access token revocation strategy, which degrades the value of stateless access tokens).
    • requiring the user to sign in every time the token expires. That gets old if the lifetime of the access token is minutes or hours. I even get annoyed every time Google asks me to re-sign into gmail, which only happens every week or two.

    The spec requires a client to explicitly request a refresh token. With FusionAuth you have to request the offline_access scope (which is common for other auth providers, but I wasn't able to find it in the RFC), so it's a way to offer more flexibility.