Refresh token rotation
Summary
One of the security threat when using refresh token is to reuse them outside their initial context.
A good way for preventing that is to implement refresh token rotation: https://tools.ietf.org/html/rfc6819#section-5.2.2.3
The idea is that a refresh token can be used only once. This has 2 benefits:
- once used, even if the refresh token is leaked it cannot be reused
- if the refresh token is leaked before being legitimately used, the client will be able to detect that it has been stolen
Design proposition
I let you discuss this :)