Reputation: 14230
why shouldn't we use the access_token as the refresh_token
I understand that the authentication process with access/refresh tokens works like this:
- Exchange username/password for refresh_token
- Use refresh_token to get access_token
- Use access_token for requests (no DB call needed)
- If access_token is expired -> use refresh_token to get a new one (DB call needed)
Process to manage/revoke access:
- Exchange username/password for refresh_token
- Store refresh_token in the DB
- Check revoked flag in DB when using a refresh_token to get an access_token
- Block by setting revoked flag
DB interactions: Only needed for refreshing tokens. i.e. frequency depends on the access_token lifetime.
User Experience: Login required when
- first visit
- refresh_token revoked
- refresh_token expired
Security implications:
- refresh_token stolen: vulnerable until manually revoked or for a long time
- access_token stolen: vulnerable short time. Cannot be revoked
- logout: access_token remains valid until expired/cannot be revoked
Without refresh_token: +No long lived vulnerability -Bad UX. User needs to login frequently
Now I am wondering why we cannot just use the access_token as the refresh_token:
- Exchange username/password for access_token
- Store access_token in the DB
- Use access_token for all request (no DB call)
- When expired: Check DB if revoked flag set. If not -> Create new access_token and set revoked for old token. (optionally, only allow this for x time after expiration. This is the equivalent to an expiration date for the refresh_token)
Now UX/security/DB_call_frequency seem to be identical. So why do we need a seperate refresh_token?
The only argument I can see is that separating them reduces the risk that a refresh_token gets stolen because it is sent less frequently.
Upvotes: 0
Views: 105
Answers (1)
Reputation: 606
Create new access_token and set revoked for old token. (optionally, only allow this for x time after expiration. This is the equivalent to an expiration date for the refresh_token)
You wanted to do this again by exchanging username and password?
If so then user needs to login again. You can use Client Credentials Grant https://www.rfc-editor.org/rfc/rfc6749#section-4.4 or Implicit flow https://www.rfc-editor.org/rfc/rfc6749#section-4.2 which sends access token only, these flows doesn't send refresh tokens. If you can send username and password, you can use Client credentials grant and request access tokens every time it gets expired.
Upvotes: 0
Related Questions
- What's the point of refresh token?
- How can both using refresh- and access tokens be more 'secure' than just using 1 JWT?
- Is a Refresh Token really necessary when using JWT token authentication?
- What's the whole point of a JWT refresh token?
- Are refresh token necessary?
- JWT: what is the advantage of a refresh token when using grant_type=password
- Why refresh token has to be replaced when used?
- Why use JWT refresh token
- In OAuth2, why not always use the refresh token?
- Why don't APIs use access token instead of refresh token?