-
Notifications
You must be signed in to change notification settings - Fork 0
refresh_token_exposed
please-open.it edited this page Feb 27, 2020
·
2 revisions
A refresh_token is a kind of credentials, used to obtain an access_token without giving login/password. In other words, the "keep me signed in" option use it.
https://tools.ietf.org/html/rfc6749#section-1.5
This token can only be used with the authentication server. A backend should not see a refresh_token.
Never send a refresh_token. Keep it in a local storage or cookie (same domain with authentication server), use it only to get a new access_token with refresh_token grant.
https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/