I really enjoyed this post by Nik on sessions and refresh tokens. It’s important to understand that there are different session layers and the responsibility a dev has when it comes to the application layer. In practice, it’s recommended to use short-lived tokens to shorten the window of opportunity for malicious users, but this introduces potential user friction since this means you have to re-authenticate more often. However, as Nik points out, refresh tokens (and token rotation) addresses this friction by allowing for silent authentication as long as the user’s IdP session is still valid.
1 Like