We've been using refresh_tokens + JWT in our SPA with Identityserver3 as TokenServer (STS). I noticed that this is not recommended and we should instead use reference_token because of the revokability in case tokens were compromised.
The user requirements are to stay signed in for 30 days.
Reference tokens (approach 1)
In this case the STS issues a reference_token with long TTL (30 days).
It's also recommended for Resource Owners to cache the reference_token for a short time (10min TTL) to increase peformance.
If the reference_token is compromised, it can be revoked in the STS and Resources will decline requests within 10 minutes (depending on cache).
This makes sense.
Refresh tokens + short-lived JWT (approach 2)
In approach 2 the STS issues one short-lived JWT (10min TTL) and a longer refresh_token (30 days). The Resources check the validity of the JWT (which will only be valid for maximum 10 minutes).
If the refresh_token is compromised, it can be revoked in the STS and Clients will not be able to generate new JWT's. Resources will decline requests within 10 minutes (depending on JWT creation timing).
I fail to see the difference between approach 1 and approach 2 from a security standpoint.
Can someone explain this further and help me with reasoning what path to go?
