Why does Ember-Simple-Auth support refresh tokens? (JS + OAuth 2.0)

Question

From what I've read in the OAuth 2.0 specs so far, it is not recommended to store any confidential information in the browser where it would be accessible via Javascript.

The discussion here also seems to agree on this point: Using OAuth2 in HTML5 Web App

I am currently building an Ember-based app as a frontend to my REST-style API backend, and I am using Ember-Simple-Auth as a library for handling the user login, which implements the Resource Owner Password Credentials workflow and also explicitly supports refresh tokens.

I read that the "Resource Owner Password Credentials" grant type in OAuth 2.0 allows the usage of refresh tokes , but the text in this paragraph is written addressing a very general definition of client.

As Ember.js is a framework for writing single page webapps running in the browser, I am now wondering...

Would it be safe to use the refresh token in an Ember app? The discussion mentioned above seems to disagree. Which leads me to:

Why does Ember-Simple-Auth support refresh tokens?

Thanks for taking the time to consider. Best! Marcus

Answer 1

The only point where using a refresh token is less safe than not using one is when the refresh token doesn't expire. So if someone gets physical access to your machine (or sth. is broken wrt HTTPS), the access token might already have been expired while the refresh token is still active and can be used to obtain fresh access tokens (meaning the security hole stays forever).

Support for that was built into Ember.SimpleAuth by popular demand. There are 2 things to say about it though: besides from the user heaving to make sure no one gets physical access to their machines (which is a required security strategy for most sites as no sites usually expire sessions or only after very long time) it's vital that client and server only communicate via (correctly set up) HTTPS. The second thing is that Ember.SimpleAuth only uses a refresh token when there's one in the server response. So if your'e concerned about that (which in my opinion is right) don't enable refresh tokens on the server side in the first place.