When I first learned about token-based #authentication, I assumed using a refresh #token would issue a new access token _and_ refresh token.

My wish has come true today, with @auth0 releasing Refresh Token Rotation https://abs.twimg.com/emoji/v2/... draggable="false" alt="🎉" title="Party popper" aria-label="Emoji: Party popper">

https://auth0.com/blog/securing-single-page-applications-with-refresh-token-rotation/

What">https://auth0.com/blog/secu... does this actually mean? https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇" title="Down pointing backhand index" aria-label="Emoji: Down pointing backhand index">
Before: Single Page Apps wouldn& #39;t get a refresh token, because a compromised RT was too dangerous. To reauthenticate, an iframe was used instead, relying on third-party cookies.

However, recent browser #privacy improvements have impacted #SPA& #39;s when it comes to #OAuth.
After: #SinglePageApps can now get a single-use refresh token with a shorter expiry, and use that to reauthenticate a user or obtain a new access token.

No more third-party cookies. No more iframes.
You can follow @bendechrai.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: