company projects using the request 2 ways, I don't understand, why want to use this mode

2: a brief introduction of request

Ordinary user login will return a token for behind all the required permissions request validation, each request to the server to carry login access token, who tell the server in the request, whether can request. & lt; br> And oauth2 login will return two token, an access token, the token is equivalent to the above said, used to login to verify user identity, the other is a refresh token, as its name implies is to attribute the token. When the access token fails, will is to use the refresh token request to the server for new token, maintain good conditions of the user login.

questions

1. Double token safer?

If for the sake of security considerations, set the access token is valid for a shorter token, prevent leakage of token, and refresh token is set to valid longer token, when used to maintain appropriate long user login, a shorter period of validity for access token is safer, but the refresh token must maintain a longer period of validity, so refresh token of security and request 1 token security should be the same. Since the refresh token safety and request before 1 only a token is the same, and refresh token can be used to obtain the access token, if the refresh token leaked out, and they don't guarantee safety access token, so I didn't feel than request 1 only a token pattern safer.

2. The request to increase the

Use the refresh token, which represents more requests to access token, so the request must be more than before. This is not only the development and use cost are higher, and a bit harsh, the increase of the request is not cause the system less safe?

PS : I'm a front end, in the process of using this model the actual development of the, this pattern has led to much front-end processing more trouble, so I've been thinking about the advantage of using this model? Hope to have bosses to solve my confusion, or we can discuss each other.