As far as I understand OAuth2 authentication has two parts:
The purpose of keeping the access token short lived is if it gets compromised, the user will not be access the resource after its expiry.
The purpose of keeping the refresh token long lived is if the access token gets expired, the refresh token can then be used to generate a new access token OR increase the expiry time of the access token.
My question is, what if the refresh token gets compromised? In that case what is the whole point of keeping the access token short lived? Because the hacker can then keep reissuing a new access token each time it gets expired using the stolen refresh token.
Can someone explain to me please?
You are on the right track with your understanding of access and refresh tokens.
Access tokens are indeed short-lived and are used to authenticate individual requests to a server. These tokens are designed to be passed around and possibly exposed in insecure environments, hence the short lifespan.
On the other hand, refresh tokens are long-lived and are used to obtain new access tokens when the current one expires. The refresh token is typically stored securely by the client and not sent in every request, reducing the likelihood of it being intercepted. It is usually used only in a secure environment and typically with HTTPS only.
As you mentioned, if the refresh token is compromised, an attacker could use it to obtain new access tokens. This is indeed a serious risk, which is why refresh tokens must be stored and transmitted as securely as possible.
Additionally, refresh tokens often come with other security mechanisms to manage risk:
Revoke ability: Refresh tokens can be revoked by the server. They should be revoked when the user logs out, when they are used to issue a new refresh token, or if any suspicious activity is detected. If a refresh token is compromised and the server or the legitimate client realizes this, they can make the token useless by revoking it.
Rotation of Refresh Tokens: Some implementations use a refresh token rotation strategy. This means that each time a client uses a refresh token to get a new access token, a new refresh token is also returned. The previous refresh token is invalidated. Therefore, if a refresh token is stolen and the legitimate client uses the valid refresh token to get a new pair of access and refresh tokens, the server will notice that the stolen refresh token is being used again and can block the user account or take other appropriate security actions.
Limited use: Refresh tokens are often scoped to certain actions. They may not grant full access to a user’s resources, only the ability to get a new access token.
I hope this clarifies a bit about the access and refresh tokens.