Is it ok to use Refresh Token Rotation in standard web applications (not just SPA), like for example in .net web app?
We’re already using Auth0 to authenticate end-users to our website, but would like to add a “Remember Me” button, which would, if checked, have an effect of storing refresh token in the cookie and using it the next time user starts its browser to refresh the access/id token.
Is this scenario viable or should we use some other approach/flow?