A good auth system contains access and refresh tokens. I know what access-tokens are for and I know what refresh tokens DO – but I dont understand their meaning.
If I auth myself successful to an API, then I get an access token and a refresh token. If a bad guy steals my access code, he can access the API maybe the next 5 minutes or so. But if he steals my refresh token which maybe expires in 6 months, couldn’t he give himself everytime a new access token?
And if there are security issues which make possible to steal an access-token, why not steal the refresh token to have a longer time access?
Or am I thinking wrong at some point?