OAuth - What if the refresh token is stolen?
TL;DR: Yes refresh tokens are bearer token and so should be protected.
Refresh tokens are powerful because in general they are:
- long term: meaning that they have long expiration times
- privileged capability: meaning that they allow the bearer to renew their access token.
Refresh tokens are also bearer tokens, which means the service consuming the token will give access to the bearer of the token -- no questions asked. This is similar to access tokens.
So making sure bearer tokens are protected and stored securely is very important. The more critical a token, the better it should be protected.
As an example in OAuth2, implicit flow which is generally used with mobile apps, the client side app has a short lived access token. They are also generally not given a refresh token. Since a client side app can be easily compromised and any data/tokens be compromised, its bearer tokens have limited privilege and lifetime.
In contrast, in OAuth2 authorization code flow which is generally used with server side apps, the server app is given a longer lived access token or/and a refresh token. This is because it is assumed that server side is more trusted and less likely for it to be compromised. Having said that, server side tokens should still be stored securely given their usage pattern.
To summarize, when deciding what kind of tokens you need, check: - trust level of your client and the flow most appropriate for that trust level - protect your tokens!
You are right, this is why refresh token should be stored securely. Maybe encrypting it inside a cookie with the secure flag enabled, so it is only transferred over HTTPS.