Can I save Refresh Token into localStorage if `Refresh Token Rotation` is enabled?

Hi,

I’ve read this article (Refresh Token Rotation) about Refresh Token Rotation, and have some questions about it:

  1. Can I save Refresh Token into localStorage if Refresh Token Rotation is enabled?

I know I shouldn’t save Refresh Token into localStorage if the feature isn’t enabled because of xss.

  1. If so, why?

As far as I understood, the Rotation feature shortens the lifetime of Refresh Token than ever, and it reduces the risk of stealing.
However, I think attackers can use the refresh token to impersonate someone else, even though the lifetime of the token is not longer than the normal refresh token.

thanks,

1 Like

Hi @tamuhey,

Welcome to the Community!

Yes. With the re-use detection capability of RTR they can be stored in localstorage. If you aren’t currently using auth0-spa-js SDK, I would recommend taking a look to see if it fits your use-case:

https://auth0.com/docs/libraries/auth0-spa-js#use-rotating-refresh-tokens

If a non-rotating refresh token was compromised in an xss attack an attacker could make requests with this token without any automatic mechanism for detecting and revoking the token. RTR adds a mechanism for automatically revoking a token that is compromised. This is explained at length in our blog:

The added security of RTR comes from their rotating nature, not just their lifetime. This prevents a token from being used simultaneously by an attacker and an authenticated user. More on that in the blog I linked.

1 Like

Thank you for your reply!
I understood that the key of this feature is that it invalidates the RT and its all descending when it is re used. It’s so cool!

1 Like

It pretty neat! Let us know if you have any other questions.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.