Spec: https://tools.ietf.org/html/rfc6749#section-6
Our refresh tokens are JWT with different set of claims compared to access tokens.
Things to note:
- Should we always issue new access token or should we reuse existing access token until its about to expire? We should go with the latter.
- Rate limit (related to first point)
- How we deal with expired, or about-to-expire, refresh tokens? Make it configurable, like, whether the tokens could be extended infinitely or require the users to re-authorize when the refresh tokens are expired?
Spec: https://tools.ietf.org/html/rfc6749#section-6
Our refresh tokens are JWT with different set of claims compared to access tokens.
Things to note: