2
votes

Why can't the client simply send both the access and refresh tokens together for every authorized request? If the access token is expired, it wouldn't require two additional trips to retrieve a new access token and finally making the relevant request.

I realize this operation is amortized, but it would lessen the number of requests for very short access tokens. And under SSL, I don't see how adding the refresh token makes this any more vulnerable. Or does it?

2

2 Answers

2
votes

I think the main reason is that the refresh token and the access token are sent to different places. The access token is sent to the resource server and the refresh token is sent to the authorization server. In the general case, there's nothing that the resource server can do with the refresh token.

0
votes

Some reasons:

The access token provides an abstraction layer, replacing different authorization constructs (e.g., username and password) with a single token understood by the resource server. This abstraction enables issuing access tokens more restrictive than the authorization grant used to obtain them, as well as removing the resource server's need to understand a wide range of authentication methods.

https://www.rfc-editor.org/rfc/rfc6749#section-1.4

  • Having the resource servers understand refresh tokens means more work for them when it can / should be abstracted away (by the authorization server).

...

Because refresh tokens are typically long-lasting credentials used to request additional access tokens, the refresh token is bound to the client to which it was issued. If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.

https://www.rfc-editor.org/rfc/rfc6749#section-6

  • A refresh request requires client credentials. The resource server shouldn't have to ever see the client's credentials.

  • Refresh tokens are meant to be long-lasting, while access tokens aren't (or shouldn't be).