long-lived access token vs short-lived access token & refresh token pair

1
votes

I read a few articles, but still not able to derive a good enough understanding. So far, I understand that:

  1. After successful authentication, server sends back an access token (ex. jwt) that a client uses to make authorized subsequent requests.

  2. But this access token can get stolen from the client. So we'd make it short-lived. And, we use refresh token to renew the access token without having the user to follow authentication process again.

Questions:

Where do we keep the refresh token? Do we send it back to the client on initial successful authentication? Or do we store it on the server somewhere (DB)?

If we're sending it back to client and the client is using the refresh token to generate more short-lived access token, than that refresh token can also be stolen. How does it make the process secure? Wouldn't keeping a long-lived access token safe suffice?

Thank you.

1
authenticationoauth-2.0jwt
Tell us what you have tried and show logs or results and Read: stackoverflow.com/help/how-to-askjwilleke
@jwilleke so, i'm actually developing APIs for an app and wanted to setup authentication system and had a few questions regarding that. Nothing else.Sumit Wadhwa
@jwilleke is oauth2.0 auth protocol an overkill, if I'm creating apis for just an ios app?Sumit Wadhwa
I say no. Used by 1,000s of app developers and a proven protocol. But OAuth is NOT for Authentication. (twitter.com/ve7jtb/status/740650395735871488) Also, "Sign In with Apple" works with OpenID Connect.jwilleke

1 Answers

0
votes

To answer your first question, Ideally refresh token should be returned to the client along with the access token.

In order to make your access token/refresh token more secure you could add in some browser specific metadata into the JWT that you generate and verify on the server side to avoid token side jacking.

To learn more on some good REST security practices you can refer to this link https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets