Are refresh token necessary?

authentication oauth jwt access-token refresh-token

I think you are forgetting something.

Refresh tokens are stored on the server. Access tokens are not. Access tokens are self contained. This is why they are referred to as bearer tokens. The bearer of the token is granted access.

Which means if an access token is stolen by a malicious party, they can be used as long it has not expired. Access tokens are considers safe because of their limited life span.

In order to use a refresh token in order to request a new access token. You need to have the client id, client secrete that was used to cerate it. You also need to be able to listen to one of the valid redirect uri's for the refresh token response.

Related

Is there any way to convert a literal to a non literal variable in bash? [duplicate]
VSCode showing "cannot find module" TS error for .vue import while compiling doesn't
How can I embed a plot within a RMarkdown table?
How to count changes within each column and in SQL
How do i group by the contents of a string list using collect() of a Stream?
Problem for reading UTF-8 file with gtfstools
Executing a method which is named via a config file
How to generate the revocation certificate after being made a revoker with GnuPG
How to move a Window that is taller than the screen so that the lower hidden part is shown
windows command-line program to change the volume of an mp3 file
Pitfalls of Windows XP Virtual Machines
Only "New Folder" in context menu in the Public folder on Windows 7