Figure out whether we need a cache to hold user refresh tokens or not

GSS-Cogs / linked-data-repository

A repository to hold and store CSV-Ws, Turtle and other Linked data

Apache License 2.0

0 stars 0 forks source link

Figure out whether we need a cache to hold user refresh tokens or not #23

Closed robons closed 2 years ago

robons commented 2 years ago

Do we need to hold the user's refresh token (in order to refresh it at some later point in time?) or can we hand this over to the user so we don't need to carry it around?

robons commented 2 years ago

Because refresh tokens have the potential for a long lifetime, developers should ensure that strict storage requirements are in place to keep them from being leaked. For example, on web applications, refresh tokens should only leave the backend when being sent to the authorization server, and the backend should be secure

https://auth0.com/learn/refresh-tokens/

robons commented 2 years ago

I think refresh tokens is post-MVP and we likely don't need a cache since the database will be a performant enough place to retrieve the tokens from with the expected low load of users.