refresh_token invalidation issue

15 views

Skip to first unread message

Togrul Magerramov

unread,

Sep 9, 2015, 4:19:17 PM9/9/15

to Spring Security REST

If refresh_token stolen there is no way to prevent to login except by changing signature secret. jwt cannot be 100% stateless as needs to invalidate refresh_token after UserDatails change (such as password) in db

Reply all

Reply to author

Forward

0 new messages