Home > database >  How to adjust Access Token / Refresh Token when log out?
How to adjust Access Token / Refresh Token when log out?

Time:01-09

I'm developing an authentication system that returns access/refresh tokens when a user logs in. The access token has a short lifetime, whereas the refresh token has a 30 day lifetime.

When a user logs out, I invalidate his access token by adding it to a Redis storage that implements a blacklist. What should I do with his refresh token? It will continue living and the user can access another page after logging out, which results in receiving a new access token. Should I block it with the access token? Because I think that simply removing it from cookies will cause problems because its signature is still valid.

CodePudding user response:

If you use OAuth 2.0 for user login (especially with refresh token) then it is not the best solution, because public client cannot store securely refresh token (OIDC is preferred).

Back to the question, it depends on business requirements and implementation, if you can still use application after logout for same user context due to refresh token then you should also invalidate refresh token.

To better understand OAuth 2.0 with browser based applications please check this document: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-10.html

Page link:https//www.codepudding.com/database/666240.html

Prev:What will happen if I malloc a pointer of a struct datatype which contains an element of a pointer o
Next:No component being rendered on router.push('/page') unless reloaded
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding