What is the issue for long lived access tokens from the password grant?

Question

Is there any security reason why I can't set the access tokens issued through password grant to 30 days?

If it's not a bad idea, then what should I do to mitigate the situation? For example,

1. It could be stolen, but that's the same as your password.
2. I could add a GUI to allow revoking of access tokens issued to mitigate 1.
3. I can ensure all previous access tokens are revoked after a password change.

Answer 1

It is not advisable to have long lives access tokens. Yes that's because of the fact that they could be stolen.

It could be stolen, but that's the same as your password.

Stealing access token is better than stealing password. This is what OAuth 2.0 tries to solve. Usually user passwords are commonly used (ex:- Same password for Facebook and email account). Thus stealing one has more security concerns. But yet stealing an access token is bad. Limiting its lifetime is one way to mitigate the risk.

I could add a GUI to allow revoking of access tokens issued to mitigate 1.

You could, but by the time you detect this, it could be too late.! For example 30 days is lots of time and malicious party can obtain everything under it's scope.

I can ensure all previous access tokens are revoked after a password change.

By default this must be done.! So this is not a solution for your scenario but a standard practice.

A solution ?

Use refresh tokens to refresh expired access tokens. Usually refresh token has an extended life-time. Unlike access token, you will use it rarely thus if you store it securely, you can protect it. Also, if your client is of type confidential, then you add another level of protection. So short lived access tokens and long lived refresh tokens is a better solution.