HermanTheGerman
Reputation: 271
JWT use refresh Token as access Token
What if a refresh token is hijacked by a hacker, and then he tries to use the refresh token as the access token? The validator in the backend will see that the refresh token is valid and not expired? Is there any mechanism that will identify the refresh token as a refresh token?
Upvotes: 0
Views: 230
Answers (1)
Tore Nestenius
Reputation: 19981
The hacker can only use the refresh token to get a new access token. The refresh token can't be used to access any API's or other services. The refresh token is usually just a random string and not a JWT-token.
The backend often returns a new refresh token after each use and if the same refresh token is used twice (by the hacker + the normal user) then the user is blocked. (one time refresh tokens)
Upvotes: 1
Related Questions
- JWT refresh token overriding
- Pass jwt refresh token in header or body
- Refresh Token 1:1 Mapping With Access Token
- JWT auth flow using access token and refresh token
- JWT authentication & refresh token implementation
- JWT refresh token. Can it be self contained?
- Using both access and refresh tokens for refreshing them
- Refresh tokens and JWT tokens Interaction
- How to use refresh tokens in jwt authentication
- How to use a JWT Refresh Token to generate a new Access Token