On my journey to learn web-dev, I am now studying JWT and I can't figure out what's the point of refresh tokens. if I am going to have a long-lived token refresh tpken on the client side, I might as well not have a short-lived one. why not just have one long-lived one on rotation ?
Isn't the refresh token susceptible to theft just as much?
No, it isn't. The refresh token is something that can be used to prolong access rights, oftentimes that means that the expiry time of the access token is prolonged or a new access token can be requested.
Since the access token was sent from one direction to another, it's possible that something gained possession of said access token. That would mean that whatever gained access to it will be able to forge a request, claiming that it's a valid session and send that access token.
Now, if your access token is short-lived and your access expiry is postponed every five minutes by your app if you are using it, you are better protected if your server will not accept your access token at face value after a prolonged time, because the more time passed, the higher the probability that a listening middle-man "overheard" your token and forged a request.
So the refresh token lets the IDP know that you still use that access token. If you do not refresh that access token, then your IDP would be able to detect forgeries for their lack of refreshing themselves. Whereas, if you do not have refresh tokens, then you are less secure, lacking this kind of protection.
You can use your refresh token to get new access tokens altogether, so even if a forger possessed a formerly valid access token, that's useless by the time it expires and the use of a refresh token expires it.
The alternative you described is to use the same access token, but then you have no answer to the case when an access token is intercepted and attempted to be used by a hacker.
EDIT
Your access token is a JWT. Let's suppose you have an object of this form:
Now, if you encrypt your JWT using a private and a public key and your client app has the public key to decode it, then instead of the readable object above, you have some random jumbled long text, such as
dkjssFSD2FSFsadk;ajfl5a3ka=
(just an example)
If the token above can be used to authentication for 10 hours, then, if someone steals this value, then he will be able to perform identity theft. This is the part we already agree about.
Now, if your access token is only valid for 5 minutes, then your refresh token being unused will be able to gather you a new short-term access token, so your old access token will not be useful for very long for hackers.
You worry about the life-cycle of the refresh token.
But the refresh token is encrypted inside the access token and a hacker will not be able to decrypt your access token to get your refresh token.
Plus, if your access token is alive for 5 minutes, then the refresh token will also expire soon, because once it requests a new access token, you will also get a new refresh token.
Therefore, the hackers will not know what your refresh token is due to the fact that it's encrypted inside the access token AND the refresh token is short-lived as well in the scenario when it changes the access token (the new access token will contain the next refresh token encrypted inside of itself in a similar manner).
If your refresh token refreshes your access token instead of changing it, then, if a hacker steals your access token and your access token is left unchanged, but prolonged by the refresh token, then your access token is a long-lived token and it is less safe than in the case when you frequently refresh it.
Your refresh token is much safer than your access token, because while your access token is a token as it is, it is the result of the encryption of your secret data, such as the refresh token and other secret data. Your hacker cannot steal your refresh token. He can only steal your access token. He would need to decrypt your access token in order to get your refresh token, which is an extremely hard, virtually impossible task if you use a good encryption algorithm and you keep your keys secure.