I’ve read this article (https://auth0.com/docs/tokens/concepts/refresh-token-rotation) about
Refresh Token Rotation, and have some questions about it:
- Can I save Refresh Token into localStorage if Refresh Token Rotation is enabled?
I know I shouldn’t save Refresh Token into localStorage if the feature isn’t enabled because of xss.
- If so, why?
As far as I understood, the Rotation feature shortens the lifetime of Refresh Token than ever, and it reduces the risk of stealing.
However, I think attackers can use the refresh token to impersonate someone else, even though the lifetime of the token is not longer than the normal refresh token.