This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Does using the refresh token re-validate the user account?

Posted on 04-19-2016 01:29 PM
Not applicable
Reply posted on --/--/---- --:-- AM

When a refresh_token is used to obtain a new access_token, does Edge revalidate that the account still exists? I.e., can a user with a valid refresh_token get a new token even if their account has just been deleted?

Solved Solved
0 2 286
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
gnanasekaran
Staff
Reply posted on --/--/---- --:-- AM

When generating access token from the refresh token, only the validity of the refresh token is verified.

So in a ideal implementation - when user logs out or an account is deactivated - the corresponding access_token needs to be invalidated / revoked. This will take care of revoking the refreshtoken as well.

Alternatively, you could implement additional validation logic in your refreshtoken flow using callouts

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2
Top Solution Authors
View all