This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
This is just a proposal so far, it hasn't been accepted and needs further discussion.
Refresh token rotation is optional in OAuth2.0 but required in 2.1
- No refresh token rotation
- Always use rotating refresh tokens
Chosen option: Always use rotating refresh tokens
- Fits the newer security best practices
- We are OK with not handling niche edge-case (i.e.: connection interruptions during the refresh call)
- We considered adding Core config to disable this, but:
- It should be easy to add later
- Doesn't seem necessary in the first iteration