[Q] Why don't we use refresh token?

[stillya]

In current implementation we refresh token if it's valid and expired, but what's point to refresh token without dividing on access and refresh tokens?
The reason of refreshing is to set access token expiration time to low and getting new with refresh token to not compromising security. But now if token will be compromised it can be refreshed(so user will always be logged in). It was done intentionally and I don't understand something or It's not implemented yet(if so I would like to contribute)?

[umputun]

My view on this - the refresh token can be compromised in the same way as the auth token. They both send the same "channel" and are stored similarly. Revoking the compromised token is not different from revoking the refresh token. With such a "blocked" token, users won't be able to stay logged in.

Unless I miss the point, it is not apparent what benefit the refresh token brings compared to the currently implemented "automatic refresh auth token" schema. The popular claim "you don't send refresh tokens that often" doesn't make much sense to me and I don't get how this is even related to a more/less secure system.

However, if you can think of any practical benefits I'm missing, pls share, and we can consider implementation.

[stillya]

I thought a little and yeah, you're right. In case where authentication and resource server is the same refresh token is kinda useless.

Actually I can come up with one small reason, refresh token still can be expired, so user will not be able to stay logged in forever, but I understand this is hard to name more secure.

Maybe if we add OIDC provider, so then refresh token will be needed.

[umputun]

moved to discussions