Why are refresh tokens treated differently than access tokens
If we consider that having a valid refresh token allows you to get a valid access token, then the two can be considered to have the same 'informational value' right?
Then why are they treated differently in terms of security aspects like expiration time?
It is often said that it's best practice to give access tokens shorter lifetimes and rotate them often while in the same time allowing refresh tokens to last longer. A typical example would be to have an access JWT last a week while letting a refresh token expire after 30 days.
But if both tokens are equally valuable to an attacker, I don't understand the different treatment they receive from a security standpoint unless we look at this topic within a context of massive security flaws. If we for example argue that there could be a critical security leak within the https protocol, then sure, an attacker could probably steal an access token more easily since it's exchanged more often between a client and a server. But practically, this shouldn't be the case when https is used and the access jwt is stored securely as an HttpOnly cookie.
