Why do we need refresh tokens in JWT

0
votes

I'm just learning JWT in nodejs, and I found out about refresh tokens.

As far as I understand, a user gets an access token and a refresh token. After the access token expires, a request containing the refresh token is made to get a new access token. To get a new access token, the server checks if the received refresh token is contained in a database. If the refresh token is stolen, it can easily be deleted from the DB and prevent further refreshes.

My question is: Why don't we just make the access tokens behave like refresh tokens? i.e. We store them in a database and check if they are there when making a request, and when compromised we just delete them?

1
authenticationjwtauthorization

1 Answers

1
votes

The key element to answering your question is: You need to add an expiration date on access tokens you deliver to clients. This is the main purpose with refresh token.

Imagine someone steels your access_token, and you didn't make it expirable: It means that as long as you didn't discover that your access_token has been stolen, you're giving literaly a lifetime free pass to whoever has it.

With refresh tokens and expirable access_tokens, you know that the window of vulnerability is really small.

Now your second question: Why don't we make access_tokens behave like refresh_tokens ?

The key idea here is to keep your refresh_token in a safe spot, and only expose access_tokens.

And by the way, refresh_tokens have one job: Carry information to generate new access_tokens, access_tokens on the other hand have their own job: Carry information necessary to give you direct access to resources.

If you pay attention to most serious websites, they have a centralized auth server that serves access_tokens.