javascript - some questions about refresh tokens

问题描述

I have some questions (moreso confusions) about the use and or the reason behind refresh tokens when I'm using jsonwebtokens. NOTE: I have read so many answers on stack overflow about this but I'm still confused so please don't just link me to some other answer

firstly, why is it even needed? I fully understand the whole thing about short lived access tokens and long lived refresh tokens that are used to acquire new access tokens, but then I feel like that leaves the refresh token just as vulnerable and maybe more then normal access tokens

secondly I hear people saying stuff about how the Resource server cares about the access token and the Authorization server cares about the refresh token. but I have 1 server just an API that I'm using jwt's to authorize and authenticate with

also yes, I do understand that its better experience for user because they can stay logged in for longer etc, but the question still rises why not just make the access token last a long time

I guess my question boils down to, why exactly are they needed / used and what makes them more secure then just using access tokens

now I have actually implemented refresh tokens and still these questions come up, idk if I'm just slow but its quite confusing to me and there don't seem to be very clear explanations about the "why" on the internet

any help / explanation would GREATLY appreciated, I'm just tryna wrap my head around the "why" of this because I can implement it all day but if I don't understand it I will forever be left puzzled about why in the world I'm doing what I'm doing

标签： javascriptnode.jsexpresssecurityjwt