Auth0 is proud to announce that as of today, Refresh Token Rotation with Reuse Detection is available for all public cloud customers.
Refresh Token Rotation provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.
With Refresh Token Rotation enabled, every time a client exchanges an RT to get a new AT, a new RT is also returned. This means you donāt need to worry about having a long-lived RT that, if compromised, could provide illegitimate access to resources. As RTs are continually exchanged and invalidated, the threat surface area is greatly reduced.
Auth0 makes it easy to get started with Refresh Token Rotation. You can enable this capability for any application using the following flows:
OAuth2 Authorization Code Flow
OAuth2 Authorization Code Flow with Proof Key for Code Exchange (PKCE)
OAuth2 Device Authorization Grant (Device Flow)
Resource Owner Password Grant (ROPG)
Learn more about Refresh Token Rotation from our Director of Product Management in this blog post:
Thank you for this update!
Hi, Iām interested in reading the blog post for secunring SPAs with refresh token rotation, but the link provided seems to be broken.
Good job guys!
Just curious how this works with SSO? Weāre using cookie based authentication now to handle SSO between our two applications, but weāre experiencing issues with the newest versions of Safari, which has third party cookies disabled by default. Actually the normal authentication with your auth0-spa-js library doesnāt work with that browser.
Refresh Token Rotation is supposedly the solution for that and in fact the login flow for one application works beautifully with the auth0-spa-js when useRefreshTokens is set to true. But instead it breaks our SSO setup, where formerly we were able to navigate to Site B and automatically be logged in there thanks to checkSession and the auth0 cookie.
I wanted to know does this newly build feature have any impact on ID Token Expiration time.
Because I have set ID Token Expiration time 108000 seconds but donāt know why it is not reflecting now.
Irrespective of ID Token Expiration time the parseToken method in code always return 7200 seconds in expires_at property.
I was looking at the settings for an application, I can see that there is a field called āRefresh Token Lifetime (Absolute)ā with a caption āControl the absolute timeout beyond which the refresh_token will expire and no longer be rotated (in seconds)ā. Does that mean that we also get a way to set the expiry time for a refresh token? If thatās the case, then this is truly awesome!
update: to answer my own question - yes this allows you to set an expiry time for the refresh token - the expiry time is not extended when the token is rotated. So, this means that you have to re-authenticate every X number of seconds no matter how many time you rotate the refresh token - default is 30 days, and maximum is 90 days.
When a new token cannot be fetched because of an invalid refreshToken auth0-spa-js throws an unhandled error. This is happening only in localhost. Any idea why it happens in local host, and how should i wrap the library such that if an invalid refresh token is trying to fetch a new access_token it will just logout?
Hi, I want to make client in .net application with using Auth0 as a authorization server or OIDC provider.
So please help with sample code in .net for SSO( Login in my website using auth0 credentials and proceed with userinfo details with the roles.
I have tried switching the type of application and updating offline access on the APIā¦ I seriously cannot figure out why I canāt get a refresh token.
This has been an ongoing struggle for quite some time now and all I want to achieve is the ability to have a silent login from my apps secure storage.
Sorry for the long long rant but I am seriously so confused if it is a configuration in my account or if I am just missing a piece of the puzzle.