Last post Sep 14, 2017 05:36 PM by PatriceSc
Sep 12, 2017 06:48 PM|unggoii|LINK
Just curious as why most people doesn't store refresh token as jwt.
Sep 13, 2017 03:17 AM|Billy Liu|LINK
The refresh token is generated by the authorization server.
The type of refresh token is decide by which authorization server you are using.
Most of them are not setting refresh token as jwt.
You could refer to the links below for more information about refresh token:
Sep 14, 2017 05:36 PM|PatriceSc|LINK
First I'm really not an expert about that but as the purpose of the refresh token is just to get another access token, I don't really see any benefit in doing something like that. From your point of view it is basically just some opaque value you are not
concerned with ? Do you have something in mind that would change if using a jwt token for that?
Edit: for example I believe a refresh token could be basically just an encrypted guid. What matters is that the issuer knows how to process this token when you send it back (possibly retrieving some server side information when processing it).
Edit: ah or you meant stored all along with the other needed information for the refresh ? I would say it's likely best to just assemble this payload only when needed to avoid possibly leaking the full information needed to get a new access token.