I have been learning how Auth0 works in order to evaluate if and how I can implement it in my softwares.
I have a little doubt about Refresh Tokens.
We know that Refresh Tokens are long-lived (as it is stated here Understanding Refresh Tokens ) so we must keep them safe. So, one Client (a mobile app, a web app, etc.) generates inside Auth0 one Refresh Token for each user it authenticates? I mean, if the Refresh Token is stolen from the Client, it can´t be used with another client id and client secret (from another application), right? I know there are a lot of ways to configure Auth0 through Rules, Connections, etc. but, in general terms and if it´s configured well that Refresh Token will be only valid for that client with that user, but not for another user or another Client (application), right? I think that the answer is a clear “yes” but I want to know if I´m understanding everything well.
Thank you very much for your help and have a nice day!
Hi,
That is correct. A refresh token is bound to a particular Client ID, so it would not work if you try to use it, using the Client ID/Secret of any other Application (The error message will indicate that). It can also be used to keep the original user authenticated forever (by refreshing tokens) and get access to an API essentially forever.
Public clients such as Mobile apps need to be extra careful with refresh tokens because they are a public client, they do not require a client secret to be authenticated so the refresh tokens should be stored in a secure manner. We have guidelines and functions in our Mobile SDKs to help with secure storage, see below docs for both iOS and Android:
Single-page applications should implement Silent Authentication instead to renew tokens.
First of all, thank you very much for your reply. This is really useful for me.
As the mobile app is a Public client, I understand that the Refresh Token should be stored securely. I will read the documentation you linked to me, but as they do not use a client secret, what happend if the Refresh Token is stolen? I mean, the only risk will be restricted for that user and that client (application) because another user (in another mobile phone perhaps) using the same application will have another Refresh Token and the same user in a different client will also have another Refresh Token because they are generated in a unique way for every “pair of user-client”. Is this right? Or the hole user or client (application) will be compromised?
Thank you very much again for the time you are spending in my question.