What are Refresh Tokens?! and...How to Use Them Securely

Показать описание

In this video we will explore the concept of refresh tokens, learn how they compare to other token types, and understand how they let us balance security, usability, and privacy.

*Check out the corresponding blog post to this video here:*

*Auth0 Token Best Practices doc:*

*Chapters:*
00:00 Introduction
00:40 What is a Token?
02:04 What is a ID Token?
02:53 What is an Access Token?
04:56 What is a Refresh Token?
05:55 When to Use Refresh Tokens?
06:40 Authorization and Authentication Flows
08:50 Refresh Token Rotation
09:11 Keeping Refresh Tokens Secure
10:29 Refresh Token Rotation
11:38 Refresh Token Automatic Reuse Detection
14:52 Using Refresh Tokens to Balance Security, Convenience and Privacy
16:05 Locally Storing Your Refresh Tokens?!
17:54 Token Best Practices
18:50 Conclusion

#security #authentication #developer
___________________________________________
Learn with Auth0 by Okta
___________________________________________
Follow Us on Social

Рекомендации по теме

Комментарии

that's genius, you explained what I was working for it for three months, thanks bro❤!!!

twd

Super clear, thank you for this awesome video! I feel smarter.

KulcsarRudolf

This video has enough information to tell you "refresh tokens are very powerful" and they also tell you "auth0 takes measures to secure it" (which satisfies their goal I guess). The main difference between access tokens and refresh tokens is that the refresh tokens are stored in the database and the server can invalidate them at will. So, if a user changes password or the refresh token is compromised, the refresh token can be revoked and the bad actor loses access as soon as the access token expires.

jesterflint

Thank you sir for making this video informative and fun to watch.

luisvillar

One of the best video I have watched 👌❤ loved the way you explained

marvellstudio

Great vid, informative and very entertaining. Well done, Sir!

pawelbrzosko

Hi, I'm trying to understand since I'm building an app in Php and I have to use a rest service, I have the service to request a token that also returns the refresh token, ¿Should I request the token, store it in a database and every time I request the token, before checking if I have a valid one in the database based on the expiration date? ¿What would the refresh token be used for?

Thanks for all

rdoojgg

Sir, thanks you very much, I have been searching for long for this😂 ...
From India 🇮🇳 ♥️

rahulganga

thank you for the content you are very knowledable. Mini tip that would help so much is to use tables charts eg for part about which auth flow ot use.

bobobobo-kifw

Awesome and easy to understand! Thank You Very Much! I do have one question though, that I can't seem to find the answer to. For refresh token rotation, is it a sliding rotation? Meaning when I get a new refresh token is the expiration pushed back further than the initial expiration? Or is there a way to configure it to, regardless of how many refresh tokens I get, have a combined expiration of... let's say 30 days?

SunnyHenry

Awesome viedo! However, I wonder if the token family break the server stateless?

jimkk

Thank you, the video gives me the answer for how to secure refresh tokens.

tuanleanh

Good explanation. Thanks. God bless you

omphemetsemafoko

It was a great session, easy to understand comparing with others

techytipsnow

If both the access token and refresh token have expired at the same time (i.e., after 15 minutes), it presents a challenge because the client can no longer use the expired refresh token to obtain a new access token. In this case, the user would need to re-authenticate to obtain a new pair of tokens innit?

adelkedjour

Clearly explained. Thanks. But, but how can a beginner get an example of using Okta and spring boot 3 microservices?

maneshipocrates

Thought I was tripping when I saw the guy's beard starting to grow grey towards the end of the video lol.

tamashercz

What happens if a malicious person gets their hands on the refresh token, but the actual user doesn't make a request for quite some time? Wouldn't that let the malicious person misuse the long-lasting refresh token? While I do agree that rotating refresh tokens can enhance security, I'm curious about how this specific scenario would be managed.

uziqmyk

What happens in 12:07, if the malicious user authenticated with the stolen refresh token before the legitimate user does? Wouldn't the melicious user then have a legit access token to impersonate the legit user?

cn

How the heaven I generate.a new refrsh token ? Am noob

zeffali

What are Refresh Tokens?! and...How to Use Them Securely

What is a Refresh Token and why your REST API needs it?

What are Refresh Tokens?! and...How to Use Them Securely

The difference between, ID, access, refresh, and session tokens? | One Dev Question: Hirsch Singhal

What are Refresh Tokens?! 🆔⌛

JWT Refresh tokens explained

What is the difference between Access Tokens & Refresh Tokens? OAuth 2.0 & OIDC (OpenID Conn...

ID Tokens VS Access Tokens: What's the Difference?

Authentication in React with JWTs, Access & Refresh Tokens (Complete Tutorial)

stream archive: EyeAP - A user manager with Fusion Auth day 4 (2024-07-22)

Session vs Token Authentication in 100 Seconds

Refresh Tokens Explained

14. Generating Refresh Tokens | Node JS API Authentication

How to Store JWT for Authentication

Auth Refresh Tokens - React Tutorial 48

What Are Refresh Tokens?

JWT Authentication Tutorial - Node.js

JWT Authentication with Access Tokens & Refresh Tokens - Node.js

Automatically Refresh OAuth2.0 Access Tokens | Postman Level Up

ASP.NET and JWT Refresh Tokens

What are access tokens and refresh tokens

React Login Authentication with JWT Access, Refresh Tokens, Cookies and Axios

Refresh Tokens with a .NET 6 Web API 🚀

Refreshing Tokens With Axios Interceptors

MERN Stack Authentication with JWT Access, Refresh Tokens, Cookies