Achieving a Seamless User Experience with Refresh Token Inactivity Lifetimes

Delight users while providing a secure CIAM solution for accessing applications and services.
Read more…

Brought for you by @randynasson

1 Like

How did you like this post? Please share any comments or feedback with us on this thread!

1 Like

This topic was automatically closed 27 days after the last reply. New replies are no longer allowed.

Its not actually clear what is the difference between Native Apps and SPAs in the context of the article and why is it safer to avoid Refresh Tokens rotation for Native Apps more than for SPAs with only Inactivity Lifetime enabled

Hello @viktorvsk. The reason the default for RTR is set to disabled for Native Apps is merely to avoid a change in behavior for customers (adding refresh token rotation) that expect Native Apps to not rotate those tokens. So the only new behavior we introduced here were the default expiration settings. We set the default rotation behavior for SPAs to enabled because previously we did not allow refresh tokens to be used in SPAs, so enabling this by default sets the correct/secure behavior that complies with recommended security best practices.