How refreshtoken works? where it is stored?

Hi

I have two questions:-

  1. When we use useRefreshTokens with REACT, Auth0 SDK automatically fetches refresh token and use it to autologin when we refresh page. But where is refreshtoken stored and used automatically on reload?

  2. There are two react apps using same auth0 tenant (useRefreshTokens is true). How to make it possible that if some user is logged in app1, gets automatically logged into app2?
    Can app1 transfer refresh token to app2?

Thanks

Hi @ritiwari369,

Welcome to the Auth0 Community!

This blog explains how it works: Securing Single Page Applications with Refresh Token Rotation

You should not transfer tokens between applications. The token is issued to a specific application and sharing it with another is not intended.

You can use SSO to maintain the session between applications. SSO is enabled by default and the user should not have to submit credentials if a session already exists for your tenant.

2 Likes

Thanks @dan.woda :slightly_smiling_face:

According to documentation, refresh token are stored in memory for safety. But we can change storage location to browser storage by specifying in Auth0Provider.

 <Auth0Provider
      clientId={config.clientID}
      domain={config.customDomain}
      redirectUri={window.location.origin}
      scope={config.scope}
      useRefreshTokens
      cacheLocation="localstorage"
    >
      {children}
    </Auth0Provider>
1 Like

That’s correct, thanks for providing the additional context.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.