The Refresh Token, when paired with the Client ID and Secret can be used to generate a new Access Token. It should be securely stored and encrypted. You should only store those tokens that are necessary for your application to function alongside your codebase.
How do I store refresh token securely?
The Authorization Code process is inherently designed to be used with a secure client, eg. a server, that is guarded enough to hold the Client Secret within. If your client is secure enough to hold that secret, just put the Refresh Token in the same secure storage as your Client Secret .
Should refresh token be stored in database?
You can replace the refresh token on each refresh, but remember that you need to store all expired refresh tokens until their lifetime is over. From a security perspective it makes sense to create a new token, but it is a trade off between security and amount of data in your database.
What if refresh token is compromised?
The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it. Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token.
Why are refresh tokens more secure?
The reason for that is the sensitivity of this piece of information. You can think of it as user credentials, since a Refresh Token allows a user to remain authenticated essentially forever. Therefore you cannot have this information in a browser, it must be stored securely.
Store your access token in memory, and store the refresh token in the cookie: Link to this section. Why is this safe from CSRF? Yes, a form submit to /refresh_token would work and a new access token will be returned, but the attacker can’t read the response if they’re using an HTML form.
When should I remove refresh token?
Yes you should. Because after logout when the user will login a new access token with a new refresh token will be issued. In that case, you should not keep your refresh token. Because whether you delete or not, on next login refresh token will be issued again (if your grant allows).
Should I save access token database?
A lot of these answers are outdated as they were written before the widespread adoption of JSON Web Tokens (JWT). You should treat an access_token as good as having an email/password pair in hand, so it needs to be stored and transmitted securely.
How long should a refresh token last?
The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.
Why we need access token and refresh token?
Modern secure applications often use access tokens to ensure a user has access to the appropriate resources, and these access tokens typically have a limited lifetime. … A refresh token allows an application to obtain a new access token without prompting the user.
How do I stop Google from revoking my refresh token?
Then in the OAuth playground the configuration panel is the cog in the upper right, select that and select Use your own OAuth credentials, then fill out your client id and client secret. That should prevent the Refresh Token from being revoked.
What is the purpose of a refresh token?
A refresh token is a special token that is used to obtain additional access tokens. This allows you to have short-lived access tokens without having to collect credentials every time one expires.
Can a refresh token be reused?
When a client uses a refresh token, it always receives a new refresh token for next time. As a result, refresh tokens are only used once. In these scenarios, the reuse of a refresh token triggers all kinds of alarms with the authorization server.
Is refresh token optional?
Refresh token is optional. Implicit grant type in OAuth2 does not have the option to issue refresh tokens.