Hi @steve.hobbs , I have a question, using refresh token rotation mechanism, how could I detect suspicious refresh token usage if legitimate client does not communicate with server again i.e closes tab and does not reopen for a while? In that time interval, could the attacker who leaked the token continue to generate tokens until the client reopens the application and the server detects the reuse?
Taking into account that the access token is stored in the application memory and the refresh token in local storage. Would it also be advisable to invalidate the entire token family when the user closes the tab or how would this process be controlled for the attacker?
Thanks in advance for your attention, greetings from Colombia 
Trying the new Refresh Token Rotation in a React SPA. Are 3rd party cookies supposed to be required?
1 Like