This note does not have a description yet.
Links to this note
A refresh token in an OAuth setup using Json Web Tokens (JWT) is used to request a new access token. Because access tokens are short lived (to minimize the impact of a token being exfiltrated), a long lived refresh token is commonly used to, for example, stay logged into an app rather than need to log in every n minutes (the length of the access token).
When using refresh tokens to enable clients to get new access tokens one danger is that the longer-lived refresh token can be stolen and used to grant access to your application by an attacker. This is especially tricky in the browser where CSRF and XSS are commonplace.
One way to mitigate CSRF attacks is to only allow cookies to be forwarded along with a request if they are from the same site,
SameSite=Strict. However, not all browsers support this setting yet.