-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable sending access token in response while sending refresh in a cookie #217
Comments
This is a very good point. To solve this in one of my projects I created an adapted version of the
|
@syberen I ran into this problem as well and was thinking about to trying to fix it with a decorator as well There seem to be 2 other issues related to this:
I think it would be good to create a pull request for this. Especially since sending the jwt in the payload and the refresh token in an http only cookie currently seems to be safest approach. I hope this gets some feedback from the maintainers! |
Currently when using long running refresh tokens if jwt_cookie decorator is set both tokens will be send in separate cookies. There should be an option to send only refresh token in a cookie while access token is sent in body response.
This way, access token can be stored in memory which is OAuth2 recommendation for token storage: https://auth0.com/docs/tokens/token-storage
The text was updated successfully, but these errors were encountered: