Closed robons closed 2 years ago
Because refresh tokens have the potential for a long lifetime, developers should ensure that strict storage requirements are in place to keep them from being leaked. For example, on web applications, refresh tokens should only leave the backend when being sent to the authorization server, and the backend should be secure
I think refresh tokens is post-MVP and we likely don't need a cache since the database will be a performant enough place to retrieve the tokens from with the expected low load of users.
Do we need to hold the user's refresh token (in order to refresh it at some later point in time?) or can we hand this over to the user so we don't need to carry it around?