|
|
|
|
|
|
by cluckindan
29 days ago
|
|
|
Almost every OAuth2 service out there does exactly that: access token for client/bff, refresh token in HttpOnly cookie. It’s a lot of work to get it right in SSR environments, since both the bff and the frontend need to be able to refresh the access token (preferably transparently during an in-flight request). Even then, access tokens really should expire within a minute or two, not hours or days. |
|
|