Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Refresh tokens are single-use only

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2023-05-11

Context and Problem Statement#

Refresh token rotation is optional in OAuth2.0 but required in 2.1

Considered Options#

  • No refresh token rotation
  • Always use rotating refresh tokens

Decision Outcome#

Chosen option: Always use rotating refresh tokens

  • Fits the newer security best practices
  • We are OK with not handling niche edge-case (i.e.: connection interruptions during the refresh call)
  • We considered adding Core config to disable this, but:
    • It should be easy to add later
    • Doesn't seem necessary in the first iteration

Pros and Cons of the Options#

No refresh token rotation#

  • Simpler usage
  • Goes against new security best practices
  • Always use rotating refresh tokens#

  • Fits the newer security best practices
  • We already do something very similar for our normal sessions
  • There are some edge-cases that make this harder to use (i.e.: connection interruption during token refresh)