Designing Token and Refresh Token Structure for Security
In this meeting, the participants discuss the design of tokens, specifically focusing on access tokens and refresh tokens. The main concern is how to best design the refresh token within a database. The participants discuss the different tables they want to create for the tokens, with one table specifically for the refresh token. They discuss the attributes that should be included in the refresh token table, such as user ID, claims, expiration, audience, app ID, app key, and entity ID. The participants also talk about the purpose and usage of access tokens and refresh tokens. They explain that access tokens are used for authentication, while refresh tokens have a longer lifetime and need to be stored in a database for revocation purposes. The participants also discuss the security aspects of refresh tokens, including the use of cryptography for validation and the single-use nature of refresh tokens. They mention that refresh tokens typically have a longer expiration time, such as 90 days. The discussion concludes with the suggestion to keep the refresh token table simple if not using scopes, but if scopes are important, then a separate refresh token table should be created.