We have a Web API secured with IdentityServer4 using local API authentication. We are currently using both Reference Tokens and Refresh Tokens. Since we have the ability to revoke a reference token at any time is it even necessary for us to use refresh tokens? Couldn't we just set a long expiry for the reference token? Is there any security implications to this approach?
From the documentation:
When using reference tokens - IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token.
In other words, the client doesn't have to provide an access token to the api, only pass the reference.
This is a big difference between the JWT token and the reference token. The client sends the API the JWT token that has to be trusted by the API without consulting the provider, while the reference token forces the API to contact the provider, not having to rely on the client.
From the Refresh Tokens documentation:
Since access tokens have finite lifetimes, refresh tokens allow requesting new access tokens without user interaction.
The question now is, can a reference token expire? Not from itself, as it contains no logic, unlike the JWT token. But there may be a server side setting that triggers some kind of expiration, or actually cause the reference to be revoked.
Either way, there is no use for a refresh token in this scenario. As you can't refresh the reference token. The reference token either exists or not (is invalid or was revoked).