Summary
- Refresh tokens can be effectively used for maintaining a seamless user experience in browser-based apps without suffering the limitations imposed by ITP2
- Configuring absolute lifetimes for refresh tokens helps reduce the risk of using RTs in single-page applications
- Inactivity lifetime enables refresh token lifetimes to be extended as long as the end-user interacts with the client within the configured period, resulting in less end-user friction
- Auth0 now provides both absolute and inactivity lifetimes for refresh tokens, along with more secure refresh token defaults, as of December 16, 2020
Balancing Security and User Experience
Most businesses want to afford a friction-free experience for end-users when using their applications. Requiring people to manually enter credentials every time they visit a commerce site or open an app can yield frustration and hurt the business bottom line. A common request in business-to-consumer (B2C) industries is to only require users to log in once and then to never require them to log in again unless they are explicitly logged out, either by choice or necessity.
The practice of using long-lived refresh tokens paired with short-lived Access Tokens is a common solution to delivering an uninterrupted experience, particularly in native mobile apps. With additional security capabilities such as Refresh Token Rotation and Automatic Reuse Detection, refresh tokens can safely be used in Single Page Applications (SPAs) to afford continuous access on the web.
Top comments (0)