Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
theonething 6 days ago

> invalidating refresh keys after single use

That's called refresh token rotation and is a valid security practice.

another_twist 6 days ago | parent [-]

I know but the RFC doesnt mandate it. https://datatracker.ietf.org/doc/html/rfc6749#section-6

Not sure why Google doesnt do this but Atlassian does.

cropcirclbureau 6 days ago | parent [-]

Google OAuth2 refresh tokens are definitely singe use.

another_twist 6 days ago | parent [-]

Atleast not documented here https://developers.google.com/identity/protocols/oauth2#5.-r.... They have a limit on the number of tokens but not on number of uses per token.