Linked Questions

Popular Questions

I am not quite sure why refresh token is necessary while we can store simply a refresh-time which maps to the same thing as refresh token's expire date, and not have a refresh token at all.

I understand that having a long-lived access token is not good for many security reasons, hence refresh tokens are used.

But I can achieve the exact same behavior of a refresh token by having a short-lived access token with the following scenario: The authenticator can have its own database where it stores the access token itself, and a refresh time as a plain integer. And if the access token is expired, this refresh time is checked and access token is either reissued or not based on whether this refresh time is expired as well. You might say latency-wise this requires lots of unnecessary database calls, but this all can be cached on the server-side really easily, thus can be avoided.

So my question is simply: Why refresh tokens are necessary (and sending it back and forth to the client) while all the refreshing of a short-lived token (access token) can be handled with a simple refresh time integer?

Related Questions