Totally depends on your risk tolerance. Browsers are always a ... • Aaron Parecki

80°F

Nico Kaiser https://twitter.com/nicokaiser • May 2
What is your opinion on refresh tokens in client-side apps? The PKCE Auth Code flow allows issuing refresh tokens, so SPAs can refresh their tokens without relying on web_message (possibly cross-domain) iframes. ...

Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens.

If you are going to issue refresh tokens to JS, definitely rotate them after every use.

Sunnyvale, California • 49°F

Thu, May 2, 2019 3:32pm -07:00

1 like
- Nico Kaiser
Have you written a response to this? Let me know the URL:

Posted in /replies using monocle.p3k.io