access token vs refresh token differences and why refresh token hasn't been exposed to web browser( SPA among them).

in short: refresh token lived in about a year or more.

access token should be valid for a short amount of time.

when refresh token compromised it means that hacker can get access for a year.

description: refresh token accepts by authentication server with user id and user secret code.

access token purpose is to get resources from resourceS servers which can have lacks in security. that's why access token short lived.

that's why SPA send to the server email and password over https and then api server which is secured properly send to oauth2 authentication server reguest with user id and user secret. then oauth2 auth server response with access token and refresh token. then api server keeps refresh token locally( it means securely) and response to SPA with only short lived access token. then SPA send access token to resources servers. 

so I can conclude access tokens is just the way not to store session through cookies in the case of SPA.

and I can assume that SPA should track expiration period and get new access token through api server which uses refresh token to get new access token from oauth2 auth server.

and thats why when user click logout button than api server should invalidate access token.

and if on the SPA login form user check remember me checkbox then api server MAY provide more long lived access token.

when user checked remember me checkbox then access token should be stored in localstorage( because it preserved even after browser restarts).

and when without remember me checked then access token should be stored in sessionstorage( which erases on every browser shutdown).

and by the way: user session( everithing that need to restore user session on the different server( eg stateless approach)) can be stored in encripted token and pass over https.

src: https://stackoverflow.com/a/7209263/2910338 

 src: https://stackoverflow.com/questions/49290819/why-are-refresh-tokens-considered-insecure-for-an-spa#:~:text=The%20reason%20for%20that%20is,it%20must%20be%20stored%20securely.

дока: https://habr.com/ru/company/ru_mts/blog/645439/