I have been reading about the concepts of access tokens and refresh tokens. I get the part of why refresh tokens might be useful to prevent re-logins and issuing short-lived access tokens to reduce the attack vector.
Consider the scenario where, If I log in, the backend server creates the access token and refresh token. The refresh token is kept with the server but the access token is with the client. Let's say in a cookie, and if the access token is stolen from the cookie and sent to the backend server that has the refresh token, will it issue a new token?
Can someone please help me understand why this is not a problem?
When an expired access token is produced to your Authorization Server, it will just not authenticate the request. It does not generate a refresh token.
When an access token expires, you use the refresh token to generate a new access token. Access tokens are short-lived, so they can be ferried around in slightly unsecure environment. Your refresh tokens are guarded in a safe environment and will not (need not) be ferried around like the access token.
Edit: You don't need an access token to get a new access token. All you need if a refresh token.
In Summary: