Support for Refresh Token Rotation!
Auth0 is proud to announce that as of today, Refresh Token Rotation with Reuse Detection is available for all public cloud customers.
Refresh Token Rotation provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.
With Refresh Token Rotation enabled, every time a client exchanges an RT to get a new AT, a new RT is also returned. This means you don’t need to worry about having a long-lived RT that, if compromised, could provide illegitimate access to resources. As RTs are continually exchanged and invalidated, the threat surface area is greatly reduced.
Auth0 makes it easy to get started with Refresh Token Rotation. You can enable this capability for any application using the following flows:
- OAuth2 Authorization Code Flow
- OAuth2 Authorization Code Flow with Proof Key for Code Exchange (PKCE)
- OAuth2 Device Authorization Grant (Device Flow)
- Resource Owner Password Grant (ROPG)
Learn more about Refresh Token Rotation from our Director of Product Management in this blog post:
- Auth0 SPA SDK (1.17.0): https://auth0.com/docs/libraries/auth0-spa-js
- Auth0 Swift (iOS) SDK (1.23.0): https://auth0.com/docs/libraries/auth0-swift
- Auth0 Android SDK (1.23.0): https://auth0.com/docs/libraries/auth0-android
What other features would you like to see? Submit your ideas to our feedback page.
Give it a try and let us know what you think!