Full Stack Engineer with a history of working in the computer software industry following global best practices in building scalable technology solutions. A graduate of Maths/Statistics.
@ivomeissner
is that more like blacklisting the previous refresh token when a new one is generated in redis or using browser finger printing to check the IP address on incoming requests?
Yeah, you can do both. I usually always store it in the DB, so that I can also revoke access by deleting the refresh token in the DB in case someone wants to change passwords (device stolen etc.). Otherwise, it's a lot harder to invalidate the refresh tokens and might have an impact on other users (for example invalidate all tokens that were issued before x).
Full Stack Engineer with a history of working in the computer software industry following global best practices in building scalable technology solutions. A graduate of Maths/Statistics.
@ivomeissner is that more like blacklisting the previous refresh token when a new one is generated in redis or using browser finger printing to check the IP address on incoming requests?
Yeah, you can do both. I usually always store it in the DB, so that I can also revoke access by deleting the refresh token in the DB in case someone wants to change passwords (device stolen etc.). Otherwise, it's a lot harder to invalidate the refresh tokens and might have an impact on other users (for example invalidate all tokens that were issued before x).
Thank you