Learn about refresh tokens and how they help developers balance security and usability in their applications.
Awesome post, it answers too many questions on my mind. A new question arose. If we are going to use refresh token rotations how do identify a user using a mobile app and web app, the way it’s demonstrated in the blog post is that which one manages to request a new refresh token first is going to invalidate the session for the other device, and when the other device requests a new refresh token (using the old refresh token) it’s going to invalidate both sessions, so now the user has been logged out from his devices. How can we solve this issue?
In my understanding, the mentioned refresh tokens family are bound to the issuance process chain not to the user identity. So, automatic reuse detection will only invalidate the tokens that were issued by the same chain.
The blog post didn’t explict that, but If I’m correct on my assumption, it means that diferent devices will have different refresh tokens families, so it’s not possible that the legitimate users logout itself.
It makes even more sense if you realise that refresh tokens leakage are a issue related to a particular device beeing compromised or a some sort of XSS attack (cross site scripting attack) (which would have different impacts on mobile/web applications).
Hope that clear your doubts and that Auth0 staff could confirm my explanation is correct!