-1

As far as I understand a JWT token has two parts

access token (short validity) refresh token (long validity) The purpose of keeping the access token short lived is if it gets compromised, the user will not be access the resource after its expiry.

The purpose of keeping the refresh token long lived is if the access token gets expired, the refresh token can then be used to generate a new access token OR increase the expiry time of the access token.

My question is, what if the refresh token gets compromised? In that case what is the whole point of keeping the access token short lived? Because the hacker can then keep reissuing a new access token each time it gets expired using the stolen refresh token.

Can someone explain to me please?

Phantom007
  • 2,079
  • 4
  • 25
  • 37
  • Your understanding is completely incorrect. JWT's don't "have" access tokens or refresh tokens. Access and refresh tokens are completely seperate concepts from JWT, which is a particular implementation of a particular type of token. – user229044 Jul 16 '23 at 14:08

1 Answers1

1

You are on the right track with your understanding of access and refresh tokens.

Access tokens are indeed short-lived and are used to authenticate individual requests to a server. These tokens are designed to be passed around and possibly exposed in insecure environments, hence the short lifespan.

On the other hand, refresh tokens are long-lived and are used to obtain new access tokens when the current one expires. The refresh token is typically stored securely by the client and not sent in every request, reducing the likelihood of it being intercepted. It is usually used only in a secure environment and typically with HTTPS only.

As you mentioned, if the refresh token is compromised, an attacker could use it to obtain new access tokens. This is indeed a serious risk, which is why refresh tokens must be stored and transmitted as securely as possible.

Additionally, refresh tokens often come with other security mechanisms to manage risk:

Revoke ability: Refresh tokens can be revoked by the server. They should be revoked when the user logs out, when they are used to issue a new refresh token, or if any suspicious activity is detected. If a refresh token is compromised and the server or the legitimate client realizes this, they can make the token useless by revoking it.

Rotation of Refresh Tokens: Some implementations use a refresh token rotation strategy. This means that each time a client uses a refresh token to get a new access token, a new refresh token is also returned. The previous refresh token is invalidated. Therefore, if a refresh token is stolen and the legitimate client uses the valid refresh token to get a new pair of access and refresh tokens, the server will notice that the stolen refresh token is being used again and can block the user account or take other appropriate security actions.

Limited use: Refresh tokens are often scoped to certain actions. They may not grant full access to a user’s resources, only the ability to get a new access token.

I hope this clarifies a bit about the access and refresh tokens.

Fenio
  • 3,528
  • 1
  • 13
  • 27
  • This is a great answer about access token and refresh token. However, has nothing to do with JWT: this is the same for every type of token format. Note that using JWT is not ideal because the revokation and rotation you descsibe is not that easy this JWT for refresh tokens is not recommended at all. – Spomky-Labs Jul 14 '23 at 13:46
  • @Spomky-Labs Just like the question was not about JWT but access/refresh tokens. I think it does answer the question though – Fenio Jul 14 '23 at 14:07
  • Yes it does answer the question (and this is what I wrote), but still JWT is mentioned in the title, the first part of the question, the tags and the beginning / end of the answer. – Spomky-Labs Jul 15 '23 at 03:33
  • @Spomky-Labs Do you feel like I should add information about the characteristics of JWT to make the answer better? – Fenio Jul 15 '23 at 10:28