Are refresh token necessary?

Question

I have been searching lately about refresh tokens and access tokens with rotation and something hit me.

Why not just use one token instead of access token and refresh token? Include in that token payload (claims) a validation date, and make the validation period very low ( just like access tokens ) and the expiration date very high ( just like refresh tokens ).

If the validation date exceeds the date on the server but did not expired, the server issues a new token and invalidate the old one ( by whatever mean like a blacklist of tokens etc just like when AT expires and new ones are issued using Refresh token) , and if the token expires then the server simply reject the request and ask for authorization ( just like when refresh tokens expires ).

If this approach works then why do we use 2 tokens which makes the dev process harder ?

Answer 1

I think you are forgetting something.

Refresh tokens are stored on the server. Access tokens are not. Access tokens are self contained. This is why they are referred to as bearer tokens. The bearer of the token is granted access.

Which means if an access token is stolen by a malicious party, they can be used as long it has not expired. Access tokens are considers safe because of their limited life span.

In order to use a refresh token in order to request a new access token. You need to have the client id, client secrete that was used to cerate it. You also need to be able to listen to one of the valid redirect uri's for the refresh token response.