Are refresh tokens necessary for online applications

Question

Per Google's docs it would seem refresh tokens are only necessary for offline applications (applications that may run into an expired access token when the user isn't around).

Access tokens periodically expire. You can refresh an access token without prompting the user for permission (including when the user is not present) if you requested offline access to the scopes associated with the token.

...

Requesting offline access is a requirement for any application that needs to access a Google API when the user is not present. For example, an app that performs backup services or executes actions at predetermined times needs to be able to refresh its access token when the user is not present. The default style of access is called online.

However, a description of refresh tokens in general and this question in particular both seem to imply that refresh tokens are needed anytime you want to request a new access token.

I think I would agree with Google's explanation and not use refresh tokens. My experience with OIDC providers has been that refresh works as follows:

1. User requests protected resource from client server
2. Client server determines access token has expired.
3. Client server redirects user to OP auth endpoint
4. OP authenticates user without interaction due to cookies stored on user's browser with OP's domain.
5. Client server finishes the request.

The user might see a few redirects but other than that the re-authentication went by without any interaction from them. Given this, is it necessary to bother with refresh tokens if the user will always be present at the application?

Answer 1

My biggest concern with using refresh tokens for online apps is that it takes away transparency from the user.

Refresh tokens facilitate long term access and should be stored safely. But they also don't provide a natural way to "sign out", and (most importantly) it becomes completely opaque how, when and from where your data is accessed, as the often used scope name offline_access suggests.

OIDC offers a front channel mechanism prompt=none that largely leads to the same effect (i.e. new tokens), and without needing intermediate redirects if the re-authentication is performed inside an iframe.

Hence in my opinion you and Google are right and the answer must be: No, don't use refresh tokens if the user is present.