Answer the question
In order to leave comments, you need to log in
Oauth, how to properly implement refresh and access tokens for a user with multiple devices?
Hello!
I needed to authorize my users via oauth, the idea was simple, to do the same as described on Habré https://habrahabr.ru/company/Voximplant/blog/323160/ .
The villain stole tokens from the user and did not use the refresh - the user updated the token, and the villain was thrown out.
The villain stole tokens from the user and used a refresh - the user logged in, and the villain was thrown out again.
But here a problem arises - what to do if the user is sitting on several devices? When he logs in from the second computer, it cannot be distinguished whether the last session was taken away from him, and he re-logs in having lost his access token, or wants to save both sessions.
Of course, when logging in, you can also request a refresh for which it was not possible to update, but maybe there is an accepted and not a crutch method?
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question