I had some refresh logic on the authorization server when I shouldn't have. I've also improved the example to use accessToken and refreshToken cookies for first party client instead of using a session on all requests that has both the accessToken and refreshToken. The old way wasn't as secure. With this change, the refresh tokens are only sent over http when requests are made to a few specific endpoints.
I had some refresh logic on the authorization server when I shouldn't have. I've also improved the example to use accessToken and refreshToken cookies for first party client instead of using a session on all requests that has both the accessToken and refreshToken. The old way wasn't as secure. With this change, the refresh tokens are only sent over http when requests are made to a few specific endpoints.