I read a few articles, but still not able to derive a good enough understanding. So far, I understand that:
After successful authentication, server sends back an access token (ex. jwt) that a client uses to make authorized subsequent requests.
But this access token can get stolen from the client. So we'd make it short-lived. And, we use refresh token to renew the access token without having the user to follow authentication process again.
Questions:
Where do we keep the refresh token? Do we send it back to the client on initial successful authentication? Or do we store it on the server somewhere (DB)?
If we're sending it back to client and the client is using the refresh token to generate more short-lived access token, than that refresh token can also be stolen. How does it make the process secure? Wouldn't keeping a long-lived access token safe suffice?
Thank you.