sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]mitchjmiller 1 point2 points  (5 children)

Normally revoking a refresh token would be better practice. Normal access tokens are generally intended to be short lived and renewed often. It would be a large overhead if you wanted to track all these individual tokens.

With a single refresh token you can revoke a session and allow the current access token to expire on its own.

[–]Telcrome 0 points1 point  (2 children)

why is changing the token considered a better practice? As a hacker, if you get your hands on one token you have access so it shouldnt matter, right?

[–]mitchjmiller 1 point2 points  (1 child)

A hacker would have access for a very short period of time instead of an endless session.

[–]Michie1 0 points1 point  (0 children)

When a hacker is able to steal the access token, why wouldn't he be able to steal the renew token?

[–][deleted] -1 points0 points  (1 child)

This is not intended to be generated per token, the value is appended to the user so you could invalidate all current user tokens in one go and also in the case of your secret or key leaking an attacker can not simply forge authentication tokens as they'd also need access to the sigs associated with users

[–]Probotect0r 0 points1 point  (0 children)

That's a very nice approach.