Refresh Token Rotation Detects Token Theft

When using refresh tokens to enable clients to get new access tokens one danger is that the longer-lived refresh token can be stolen and used to grant access to your application by an attacker. This is especially tricky in the browser where CSRF and XSS are commonplace.

An added layer of security is refresh token rotation where a refresh token can only be used once. If a refresh token is used more than once—a sign the refresh token was stolen—all refresh tokens in the chain are revoked automatically and the user must log in again.

Read A Critical Analysis of Refresh Token Rotation in Single-page Applications.

  • How Refresh Tokens Work

    A refresh token in an OAuth setup using Json Web Tokens (JWT) is used to request a new access token. Because access tokens are short lived (to minimize the impact of a token being exfiltrated), a long lived refresh token is commonly used to, for example, stay logged into an app rather than need to log in every n minutes (the length of the access token).