There’s a ton of information on the web describing what a JSON Web Token (JWT) is and what it’s used for. JWT.io describes it as:
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.https://jwt.io/introduction
In this post JWT will be referred to as the “access token” because it’s used to gain access to resources. Once that access token expires, a refresh token is used to get a new access token. But if we already have a token that doesn’t expire, why do we need both? Can’t we just use the refresh token as our access token?
On a small system, yes, you probably can use one token to access your protected resources. If that token is stolen, remove the token from the website and that token would be useless. Then the user would just need to login again.
Two Tokens For Scalability
Refresh tokens are most useful when you need the ability to scale. For example if you have two separate servers: an authorization server and a resource server. The user would login to the authorization server (i.e. Google) and then access the resource server (i.e. YouTube). With just one token, both YouTube and Google would need a copy of your token in order for it to be able to revoke access. However, if you Google gives you a refresh token so that you can keep getting access tokens and YouTube only accepted access tokens, only Google would need to keep track of the refresh token.
Think of this system like the box office and the theater. You go to the box office and give them your credit card (i.e. your login). The box office gives you a ticket (i.e. access token). The box office also tells you they have your card on file, so they give you a special code (i.e. refresh token) that you can use to get more tickets. Now you can use your ticket and see a movie at the theater.
If your ticket gets stolen, it’s only good for the one show. You can just get another ticket to see the next show.
If someone calls the box office with your code (i.e. your refresh token gets stolen) they unfortunately can get your ticket. But you realize or suspect it was stolen because you see some activity you don’t recognize. You can ask the box office to invalidate your code (delete the refresh token). You’ll need to restart the process, but it’s just you that needs to login again.
If the box office accepted tickets to give you new tickets, that would mean a stolen ticket could always get a new ticket. The box office would need to not accept all tickets for all their patrons and start over.
No system is perfect, tokens will be tokens and get stolen. When they do, refresh tokens eliminate the need to force their entire user base to login again. When things are not being stolen, refresh tokens allow users to login a lot less.