So I have seen the common use case on where the access token is renewed by sending a refreshtoken to the server endpoint aimed for that renewal.
My question is, based that I see a lot of cases where the refreshtoken is saved and sent using a cookie, will this means that if someone gets my refresh token cookie the attacker will be able to impersonate me and gain an accesstoken to access protected resources? How JWT prevent this from happening?
It is true that getting access to someone’s refresh token gives you the ability to generate new access tokens, impersonating the user who owns the refresh token. If someone gets the keys to your house, they can let themselves in. Choosing to use refresh tokens (which are optional) means accepting the risks associated with them.
You can mitigate this risk by enabling refresh token rotation, which prevents a given refresh token from being used more than once. You might also consider enabling the refresh token expiration features depending on your use case.