Long Lived JWT Refresh Token is being Revoked and Replaced on Every Short Living Token Refresh Request

cornflourblue / aspnet-core-3-signup-verification-api

ASP.NET Core 3.1 - Boilerplate API with Email Sign Up, Verification, Authentication & Forgot Password

https://jasonwatmore.com/post/2020/07/06/aspnet-core-3-boilerplate-api-with-email-sign-up-verification-authentication-forgot-password

MIT License

226 stars 93 forks source link

Long Lived JWT Refresh Token is being Revoked and Replaced on Every Short Living Token Refresh Request #2

Closed twinmind closed 3 years ago

twinmind commented 3 years ago

Every time web application calls accounts/refresh-token, the long lived token is being replaced along with short lived token and new record is created in RefreshToken table.

cornflourblue commented 3 years ago

This behaviour is intentional for increased security, the technique is called refresh token rotation, there's more info at this article - https://auth0.com/docs/tokens/concepts/refresh-token-rotation