Handle loosing track of Refresh Token #272
-
|
Hello, I'm looking at the Oauth2 Authorization Code Refresh Token process. Nevertheless, I can see that you can only use the refresh token once. Meaning that in the eventuality of a network error right after having called Ory, we will have used our one chance but we won't have access to the new refresh token. Do you have any idea of how we could handle this? Is the only option to authenticate the client again? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hello @MollardMichael Learn more about the Ory Identities security model here: https://www.ory.sh/docs/security-model |
Beta Was this translation helpful? Give feedback.
Hello @MollardMichael
I think this problem is built into the whole access/refresh token mechanism.
The solution is to not use an OAuth2 mechanism for authentication.
Learn more about the Ory Identities security model here: https://www.ory.sh/docs/security-model
Blogpost on the limitations of OAuth2: https://www.ory.sh/oauth2-openid-connect-do-you-need-use-cases-examples/