What is the difference between a JWT token and a Refresh token?

Question

I'm trying to get my head around refresh tokens and how they work with JWT, so I can use it without auth0 API service.

• Why refresh token format is different from JWT?
• refresh tokens are just simple tokens store in the db?
• How is the flow to use a refresh token to get a JWT token?

Thanks!

UPDATE

As @Florent Morselli suggested. The fundamental question of this post is wrong and confusing. Since JWT and refresh tokens are not really concepts that can be related. A better question can be:

• What is the difference between a JWT Token and an opaque token?
• What is the difference between a Access Token and a Refresh Token?

I'm not changing the question in the title, since somebody might be looking wrongly for the same thing and it will lead them to this post.

Answer 1

Token can be of two types:

• Tokens by Reference
• Tokens by Value

With the first type, the tokens are opaque strings (often random strings) that refer to a database index where the values associated to the tokens are stored.

With the second type, the tokens contain the values. To avoid alteration they are digitally signed or hashed. As they also may contain sensitive data, they can be encrypted.

JSON Web Token is a suite of specifications (mainly RFC7515 to RFC7520) that introduces a new format for the second type.

Why Refresh tokens issued by oauth0 are of the first type and not JWT (second type)?

The main benefit of the tokens by value is that they can be stateless i.e. you don't need any kind of database. This is really helpful when tokens are sent several times to a server as they drastically reduce database calls and thus reduce the response time.

The drawback is that you cannot revoke them. Or if you add a revocation system, then you have to manage and call a database. Therefore , tokens by value should have a very limited lifetime which is not compatible with refresh tokens.