0

As I understand it, the basic idea is that you have accessToken (15 minutes), and refreshToken (1 week), a few moments before the accessToken expires, you need to ask the server for a new accessToken.

If the user closed the browser before the 15 minutes ends, and the client didn't refresh the tokens, you need to re-login because the accessToken is obsolete and you can't refresh the accessToken without both of the tokens.

Isn't that bad experience? if I'm not active for 15 minutes, I need to re-login...

Am I missing something here?

schroeder
  • 123,438
  • 55
  • 284
  • 319
SexyMF
  • 161
  • 1
  • Is this a security question or a UX question? And what's the site? What type of data is being processed? – schroeder Feb 06 '22 at 19:33
  • 1
    *"and you cant refresh the accessToken without both of the tokens."* - What makes you think you cannot get a new accessToken just with the (still valid) refreshToken? – Steffen Ullrich Feb 06 '22 at 19:45
  • @schroeder its about the correct way to implement refresh tokens in a web env. its a personal dashboard for a user about its data. b2c kind of data. – SexyMF Feb 07 '22 at 19:22
  • @SteffenUllrich, because if someone steals my `refreshToken` he can generate new `accessTokens` as much as he wants for a week. if I can generate tokens just by using the `refreshToken`, I dont see a reason to still the `accessToken`. no? – SexyMF Feb 07 '22 at 19:26
  • The question you ask is "Isn't that bad experience? Am I missing something here?" -- so you are now saying you want to know the secure ***length*** of time? What *are* you asking? – schroeder Feb 07 '22 at 19:54
  • So, if you are looking for "best practice" I googled `refreshtoken` and got OWASP and Auth0 providing what you appear to want to know: https://auth0.com/learn/refresh-tokens/ – schroeder Feb 07 '22 at 20:05
  • And as for stolen refresh tokens, The search term above leads to: https://datatracker.ietf.org/doc/html/rfc6749#section-10.4 "The authorization server MUST verify the binding between the refresh token and client identity whenever the client identity can be authenticated." – schroeder Feb 07 '22 at 20:05

0 Answers0