Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander2020-01-31 22:34:19
User identification
Alexander, 2020-01-31 22:34:19

Why is a refresh token needed?

I don't understand why you need a refresh token. On the Internet, I found 2 reasons:
1) Refresh token can be sent not with every request, but only occasionally, which reduces the risk of interception. And the access token is sent frequently, but has a short lifetime. But what if I store tokens in HTTPonly cookies? In any case, cookies are sent with each request, and given that all requests are protected by SSL, there seems to be no security problems here. In any case, HTTPonly cookies are the safest place to store tokens in a browser.
2) Refresh token allows you to avoid using one session on 2 devices at the same time (in case of theft of tokens) due to the fact that each refresh token can be used only 1 time and when trying to use the same refresh token again, we can reset the session.

Total. The first point does not make sense when storing tokens in HTTPonly cookies, and the second point can be implemented using a single self-renewing token, which will have a short period of use as an access token and a long period as a refresh token. So what is the essence of the refresh token?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
I
Ilya, 2020-02-01
@LordGuard

Definition of token in RFC

Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner). Issuing a refresh token is optional at the discretion of the
authorization server.

roughly corresponds to your reasoning about it. The only thing that is not explicitly prohibited is the reuse of refresh_token. This is usually an option that can be set for a specific OAuth2.0 client.
Using a refresh_token in a browser is not recommended because it cannot be stored securely. It is usually used in desktop or mobile applications that allow secure storage of the token.
https://tools.ietf.org/html/rfc6749#section-1.5

Similar questions
N
navion2012-02-17 17:08:20
USB token for two factor authentication? 2Reply
A
alexcook2018-03-25 15:52:56
User preauthentication/authorization in Laravel 5.5? 1Reply
V
Vyacheslav Kozlov2015-11-19 08:47:54
How to get oauth token in ejabberd? 0Reply
M
mykhailohoy2020-05-19 15:53:52
How to work with Evernote API developer token? 0Reply
V
voe2015-12-02 15:45:26
How to add a self-signed certificate to devise? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question