I’ve read this article (Refresh Token Rotation) about Refresh Token Rotation, and have some questions about it:
Can I save Refresh Token into localStorage if Refresh Token Rotation is enabled?
I know I shouldn’t save Refresh Token into localStorage if the feature isn’t enabled because of xss.
If so, why?
As far as I understood, the Rotation feature shortens the lifetime of Refresh Token than ever, and it reduces the risk of stealing.
However, I think attackers can use the refresh token to impersonate someone else, even though the lifetime of the token is not longer than the normal refresh token.
Yes. With the re-use detection capability of RTR they can be stored in localstorage. If you aren’t currently using auth0-spa-js SDK, I would recommend taking a look to see if it fits your use-case:
If a non-rotating refresh token was compromised in an xss attack an attacker could make requests with this token without any automatic mechanism for detecting and revoking the token. RTR adds a mechanism for automatically revoking a token that is compromised. This is explained at length in our blog:
The added security of RTR comes from their rotating nature, not just their lifetime. This prevents a token from being used simultaneously by an attacker and an authenticated user. More on that in the blog I linked.
Thank you for your reply!
I understood that the key of this feature is that it invalidates the RT and its all descending when it is re used. It’s so cool!