-
-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requesting new refresh tokens #5
Comments
I would say, most of online tutorials don't have this. So it might be ok to not need a valid access token to refresh token. However, if we look at the refresh tokens generation (below), we need to understand the risks that enumerating all refresh tokens is not difficult and we can brute force to get tokens for some users. JwtAuthDemo/webapi/JwtAuthDemo/Infrastructure/JwtAuthManager.cs Lines 128 to 134 in 3ebda08
|
I didn't even consider this. This is a good enough reason. Thanks for the response! |
I am opening this as an issue because discussions are not enabled on this repo. I love and use this template that you have provided because of its simplicity and effectiveness. I'd love to ask a question though. Is there any reason why a user needs to have a valid access token in order to call the
/refresh-token
endpoint?The text was updated successfully, but these errors were encountered: