What is the security risk of having longer Refresh token in Authorization server?

Question

We have a client application is interacting with application with oauth authentication. We dont want to authenticate the user every time when the refresh token expires .So , we thought that we can keep refresh token expiration time until 1 year. What is the security risk if we have this type of set up with longer refresh tokens

Answer 1

What is the security risk if we have this type of set up with longer refresh tokens

Refresh tokens are bearer tokens so whosoever holding it could use it to obtain a new access token from the authorization server until it expires. Therefore, a refresh token that has a very long lifespan could theoretically give infinite power to the token bearer to get a new access token. The newly obtained access token then could be used to access the protected resources anytime. The bearer of the refresh token could be a legitimate user or a malicious user. Like access tokens, it is advisable to use a short lifespan for refresh tokens. The validation time for refresh token could be increased upto a certain extent in highly trusted systems & communications.