There is a lot of information regarding the use of Refresh tokens with several different back-ends, including ASP.NET Core (which we’re using). However, I am currently working on an MVC app, and I want to make sure that users who log in, actually stay logged in forever (across browser sessions), but I obviously do want to support the revocation of their token under certain conditions (such as a password change).
Since I’m using basic MVC, no front-end app framework, nearly every user interaction results in a page navigation.
I am struggling to figure out how & when to handle with keeping the access token up to date in this type of application where there is almost no application state on the client side.
Willing to provide more context if needed, since I’m left scratching my head but I really want to use Auth0 for our authentication.