top | item 20484373

(no title)

thesunny | 6 years ago

In the article, they mention the refresh token needs to be revokable which I assume means that it is stored in a table in a database or other data store. When the user logs out, the refresh token is removed from the table (i.e. it is revoked).

The JWT server would check to see that the refresh token probably stored in the browser with a cookie or localStorage is valid before sending the new JWT.

discuss

No comments yet.