Answer the question
In order to leave comments, you need to log in
How to safely use refresh token?
Scenario when a hacker steals a refresh token.
Various tutorials tell how it is not scary, because when a real user tries to use it, he will allegedly become invalid. But after using it, a hacker will have time to get a new pair of access + refresh tokens! It turns out that the hacker will have an infinitely reusable chain (like the second login), and the user will have his own new pair in parallel when he is thrown to the re-login.
Yes, I can only store 1 refresh token for 1 user, but this is nonsense - if the user wants to log in to 2 PCs? Therefore, this option does not roll. How then will you protect yourself and why does this not bother anyone?
Answer the question
In order to leave comments, you need to log in
All systems that are on the market have an invalidation system for both access token and refresh token. This can be done by both the Identity Server administrator and the user himself. As for protection against theft, the same recommendations are here as with everything else.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question