Just as an additional note:
The refresh/access token distinction is not to save you from the tokens getting stolen.
It is against the user loosing their account on the authentication server.
Lets say you have a company and issue your access tokens with a couple of minutes and the refresh token with a month.
The worker leaves after a week, but still has a valid refresh token. Now that the account has been deactivated on the authentication server, they can not use the refresh token anymore to get a valid access token, despite the fact that the refresh token has not expired.
The same technique is used when you hit “log me out from all devices” in facebook or similar services. The long lived refresh token gets revoked by the auth server not accepted anymore when asking for a new access token.
This dual tokens are necessary, to avoid the consumer having to ping the authentication server again and again for every request, whether the authenticated user is still authentic. Or even worse: assume authenticity for a very long time…
