Refresh vs. Long-lived Access Tokens
One question which I frequently receive is:
Why would you want to use long-lived refresh tokens that generate short-lived access tokens as commonly seen in OAuth 2.0, versus long-lived access tokens? Aren’t you simply replacing one long-lived token with another?
There isn’t any one huge advantage that immediately stands out in favor of refresh tokens. Instead, there are a number of incremental improvements that add up towards making it the overall superior design.
Refresh token pros:
- It simplifies revocation
- Short-lived access tokens limit the impact of them being leaked or compromised
- Refresh tokens provide incremental improvements to client security
- Refresh tokens allow for flexibility in future access grants
- allow you to build better heuristics around abuse detection
- ncreased client complexity
- act as a single point-of-failure