A malicious actor can do quite a lot in 5 minutes. And now you've got to have your users/services renew their authentication at least every 5 minutes, meaning there has to be some central authentication authority to be renewing through... which completely defeats the whole decentralization thing and is more complicated than just issuing randomized tokens and keeping hashes of those in Redis.
At best, you've got a system where a malicious actor doesn't think to renew their token fast enough.
This approach doesn't really solve anything. If you have expiration times that short you will need a mechanism for renewing tokens and a compromised token can be renewed all the same. All you have is slightly higher server load because your regular users need to renew their tokens all the time.
If your access token is compromised, you would normally need your refresh token to get a new access token? So it would increase security, but if you lose your refresh token, you def have the same problem.
Same idea with certificates right? No-one checks certificate revocation lists, so Google is shortening maximum lifetimes reducing chance of long-time malicious use.
Right. SSL certification revocation lists have been called "broken in practice". In perfect practice, any time you want to use a cert you have to check the CRL, which means you have to pull the whole CRL or have it on a short enough refresh to satisfy your risk profile. If the attempt to access the CRL fails, then what? Do you trust the cert or not?
https://en.wikipedia.org/wiki/Certificate_revocation_list#Pr...
At best, you've got a system where a malicious actor doesn't think to renew their token fast enough.