DEV Community

Discussion on: What is the usual flow in authenticating a Client Application with a Token based REST API?

jjjjcccjjf profile image

I'm not sure.. I think only the refresh token alone?

Thread Thread
theoutlander profile image
Nick Karnik

I see. How does it make it secure in that case? Anyone who gets a hold of the refresh token can still request an access token right? I think the idea of a secure refresh token is that anyone who discovers it cannot do anything with it because additional pieces of information are required in order to request an access token.

Thread Thread
ayazhussein profile image
Ayaz Hussein

Hey, What other information can be used to differentiate between stolen refresh token and a valid refresh token?

Thread Thread
bwighthunter profile image
Blake Wight

This reply is a bit late, but perhaps useful to a future passer by. What you could do is have the front end pass in some information about where they are located and/or their device/browser and then tie refresh tokens to each device/browser. This could allow the user to revoke refresh tokens per location/device. If a request provides a token from a new location (for that token) revoke it and require another login from that device. Still spoofable, but it adds another layer.