Is there any benefit to using refresh tokens if the session token is an opaque token stored in a database?
I'm working on a personal project that is an app that deals with user mental health data. Because of the sensitivity of the data, and the fact that the app syncs with the cloud as apposed to loading data directly from the cloud, I decided to switch from JWT access token + opaque session token to an opaque access token. This is because it provides more token control (can revoke the session token instantly) and the increased request duration is not an issue (since it would just make the sync process slightly slower, which is not noticeable at all).
My understanding is the purpose of the refresh token in a JWT based configuration is that there's no way to revoke the JWT without storing revoked JWTs in a database and looking them up every time (which would defeat the point of a JWT). So you use a short-lived JWT and a long-lived refresh token.
This doesn't seem helpful when the actual access token is revokable though - couldn't I just make the access token long-lived?
