How refresh tokens add security to jwt?

Question

I know how jwt works and if I am true, refresh tokens are used to generate or sign new jwt or access tokens. So they play role of encryption key? I dont understand how refresh tokens help increase security of jwt When jwt is stolen? does it matter to have refresh tokens in db or jwt payload itself(or somewhere else on client apart from access token)? Is their sole purpose of existence just refreshing token without any real additional security enhancement? If hacker manage to steal jwt can refresh token help? Please explain thanks in advance

Answer 1

Refresh tokens enable you to keep the lifetimes of access tokens short, which has some indirect security benefits. Consider the following configured times:

• Access token: 15 minutes
• Refresh token: 4 hours

ACCESS TOKENS

An access token is usually a bearer token that can be used by anyone if stolen, similar to cash. If an attacker somehow steals an access token, they should not be able to use it for long.

Access tokens are not usually revokable in practical terms. This is because they are used for API calls, and if all APIs had to contact the token issuer (usually an OAuth Authorization Server) on every API request, this would be a performance problem.

REFRESH TOKENS

These do not perform encryption and are just used by a client to refresh access tokens. The refresh operation should require a client secret. This ensures that if an attacker somehow steals a refresh token it is not easy for them to use it.

Refresh tokens have longer lifetimes, usually representing that of an authenticated user session. When it expires the user must re-authenticate. All providers should allow refresh tokens to be revoked, but doing so will not usually revoke active access tokens.

RECOMMENDATIONS

• Keep access token lifetimes short, for good security
• Use longer lived refresh tokens to provide good usability, and require a client secret
• Avoid adding complexity by writing code to try to deal with stolen access tokens