Why use refresh tokens - Angular Edition

In this article, we briefly explain why refresh tokens are useful.

Without refresh tokens, the typical flow is straightforward: the user authenticates, obtains an access token and utilizes the access token to invoke APIs. For security, access tokens should be short-lived. But once an access token expires, you’re left with two unappealing options: force the user to re-authenticate or allow clients to exchange the expired access token for a new one.

Re-authentication hurts usability. The shorter the access-token lifetime, the more often users are asked to log in again—quickly becoming unacceptable from a user-experience standpoint.

Using an expired access token to obtain a new access token is risky. If an attacker manages to obtain a valid access token before it expires, the attacker can also use it to request a new one. An attacker has many chances to obtain the access token as it is sent around with each API call. The high exposure significantly increases the attack surface.

Refresh tokens solve this problem. When a user authenticates, the server issues both an access token and a refresh token. The use utilizes the access token to invoke APIs as before. When the access token expires, the client does not submit the expired access token; instead, it sends the refresh token to obtain a new access/refresh token pair.

If an attacker intercepts the expired access token, it’s useless—they can’t exchange it for anything. To obtain new tokens, they would need the refresh token. But the refresh token is sent only twice: once during the initial authentication and once during token renewal. That limited exposure significantly reduces the attack surface.