I know how refresh tokens work and their purpose; it adds another layer of security to the API. But what I do not know, and wish to know, is how to implement them the right way. You see, I don't have formal education about this and I am just trying to teach myself. 😶
Can you explain more about your use-case? Is this a web app or a mobile app? What sort of security is a refresh token providing? I'm trying to understand the intent of using a refresh token here.
It will be a web app. I want to utilize the concept of refresh tokens because keeping a permanent access token looks bad for me. If they token gets stolen, then a user can be spoofed. If I do put an expiry though, they would login every time the token expires. Wouldn't that be a hassle? That's why I want to use refresh tokens.
I see. How does it make it secure in that case? Anyone who gets a hold of the refresh token can still request an access token right? I think the idea of a secure refresh token is that anyone who discovers it cannot do anything with it because additional pieces of information are required in order to request an access token.
This reply is a bit late, but perhaps useful to a future passer by. What you could do is have the front end pass in some information about where they are located and/or their device/browser and then tie refresh tokens to each device/browser. This could allow the user to revoke refresh tokens per location/device. If a request provides a token from a new location (for that token) revoke it and require another login from that device. Still spoofable, but it adds another layer.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Just curious, why are you using refresh tokens if you are not sure what to do with it?
I know how refresh tokens work and their purpose; it adds another layer of security to the API. But what I do not know, and wish to know, is how to implement them the right way. You see, I don't have formal education about this and I am just trying to teach myself. 😶
Can you explain more about your use-case? Is this a web app or a mobile app? What sort of security is a refresh token providing? I'm trying to understand the intent of using a refresh token here.
It will be a web app. I want to utilize the concept of refresh tokens because keeping a permanent access token looks bad for me. If they token gets stolen, then a user can be spoofed. If I do put an expiry though, they would login every time the token expires. Wouldn't that be a hassle? That's why I want to use refresh tokens.
Fair enough. Which supplementary information are you planning on submitting with the refresh token to get an access token?
I'm not sure.. I think only the refresh token alone?
I see. How does it make it secure in that case? Anyone who gets a hold of the refresh token can still request an access token right? I think the idea of a secure refresh token is that anyone who discovers it cannot do anything with it because additional pieces of information are required in order to request an access token.
Hey, What other information can be used to differentiate between stolen refresh token and a valid refresh token?
This reply is a bit late, but perhaps useful to a future passer by. What you could do is have the front end pass in some information about where they are located and/or their device/browser and then tie refresh tokens to each device/browser. This could allow the user to revoke refresh tokens per location/device. If a request provides a token from a new location (for that token) revoke it and require another login from that device. Still spoofable, but it adds another layer.