When I first learned about token-based #authentication, I assumed using a refresh #token would issue a new access token _and_ refresh token.
My wish has come true today, with @auth0 releasing Refresh Token Rotation
https://auth0.com/blog/securing-single-page-applications-with-refresh-token-rotation/
What does this actually mean?
My wish has come true today, with @auth0 releasing Refresh Token Rotation

https://auth0.com/blog/securing-single-page-applications-with-refresh-token-rotation/
What does this actually mean?

Before: Single Page Apps wouldn't get a refresh token, because a compromised RT was too dangerous. To reauthenticate, an iframe was used instead, relying on third-party cookies.
However, recent browser #privacy improvements have impacted #SPA's when it comes to #OAuth.
However, recent browser #privacy improvements have impacted #SPA's when it comes to #OAuth.
After: #SinglePageApps can now get a single-use refresh token with a shorter expiry, and use that to reauthenticate a user or obtain a new access token.
No more third-party cookies. No more iframes.
No more third-party cookies. No more iframes.