Is simultaneous login possible when using rotating refresh tokens in SPA?

Hi everyone,

to my understanding simultaneous login (on various devices) is not possible when one wants to rely solely on rotating refresh tokens in SPA.

Example: If a user logs in on device A, an AT and RT are stored on the users device (AT-A & RT-A). Now, if the same user logs in to another device B, getting a new AT and RT (AT-B &RT-B) the RT on device A (RT-A) becomes invalid. So refreshing AT-A on device A using RT-A should not work anymore, is that correct? Please correct me if I’m wrong and help me understand what’s going on in the background.

Does someone know what one should do in order to allow simultaneous login based on rotating refresh tokens?

I very much appreciate any help on this topic :slight_smile:

As far as I’m aware what you describe should not be an issue; the refresh tokens generated from the independent logins will also be independent of each other which would mean you could use them separately in each device to continue token renewal.

What token rotation prevents is the same refresh token value to be used to renew tokens multiple times (outside of a configurable leeway), however, each login will give you two independent refresh tokens so they will have an independent lifetime.

Thank you @jmangelo for explaining this to me.
Is there a limit on independent logins of a user?

There’s no limit that would technically be relevant for the end-user itself. There are rate limits that may impact end-users individually, but those are more about preventing application bugs or malicious usage and should not be an issue for an end-user normal usage across multiple devices.

1 Like