Home > front end >  Should the refreshToken be stored on the database?
Should the refreshToken be stored on the database?

Time:09-20

I am thinking about how to store the refresh token.

The token is validated in NestJS, so I thought that it was necessary to store it in MySQL or Redis.

If we save, we should be able to identify multiple devices, and if the user exits without logging out, we need to retain unnecessary data until the expiration of the refresh token.

For this reason, I thought it might not be necessary.

If I'm thinking wrong, please let me know!

CodePudding user response:

You don't necessarily store a refresh or accessToken in a database, but usually you store the idToken or the so called userInfo response instead.

However, you do store the response of the OIDC provider. Usually they expose a jwks endpoint that allows you to verify if the incoming token is signed by them. A package that solves this for you is jwks-rsa. You want this behavior, because you don't want to verify the incoming token, over and over again at the provider. Instead you just want to verify if the token is valid.

  • Related