Sign in

Refresh token security

bobcatmarion edited in Wed, 21 Sep 2022

If access_ The token is valid for one hour_ The token is valid for 7 days;

  • Then I can pass refresh in 7 days_ Token to get access_ That's not equivalent to access_ Is the token valid for 7 days?
  • Seven days of validity will also increase the security risk, so why use refresh_ What about the token?
2 Replies
commented on Wed, 21 Sep 2022

This is a question about the size of exposure risk and the duration of validity. If we only have one token and carry it in every request, then the exposure risk will be very high. If the validity period of this token is still relatively long, then once it is exposed, the loss will be very high, so access_ The validity period of the token needs to be short.

But we don't want the user's login period to be so short, so what should we do? refresh_ The value of token is here_ The token only needs to refresh access_ The token is carried in the request, relative to access_ As far as token is concerned, its exposure risk is much smaller, so even if its validity period is relatively long, the possibility of causing losses is relatively low.

Why does OAuth V2 have both access and refresh tokens?

commented on Thu, 22 Sep 2022

Upstairs said yes, security is only relative, there is no absolute, we can only say that we try to spend a relatively small amount of work to make the cost of cracking higher.