Currently, refresh tokens are hashed and in order to decode them, they their content has to be compared to their associated JWT. This tightly couples refresh tokens to JWTs. Instead, they should be encrypted, so they can be authenticated and inspected without a JWT.
Currently, refresh tokens are hashed and in order to decode them, they their content has to be compared to their associated JWT. This tightly couples refresh tokens to JWTs. Instead, they should be encrypted, so they can be authenticated and inspected without a JWT.