can we use access token as session cookie in browser? and how to protect it?
The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.
The setup: There is a client, application server and authentication server.
The client stores the access token in browser. The application server stores the refresh token. The authentication server hands out the refresh + access token. One of the advantages is that a stolen access token can only be used for the time it is valid.
Say a hacker steals the access token that is valid for 30 minutes. When the hacker makes a request with the valid but expired stolen access token after 30 minutes, the application server refreshes it with the refresh token, thus the hacker gaining a new valid and not expired access token.
