refresh-token

I am little confuse of Refresh Token in OAuth2. Like it says access token limit the time window of 1 hour that hacker can use the user credentials and refresh token is long live token which can be use to recreate the access token. I am confused if someone stole the access token from cookie he can also stole the refresh token and can use the refresh token to create new access token as I have ajax request in JQuery (Client Side) NOTE: I have created ajax request to send refresh token on server side I append the Client ID and Secret there with grant type refresh token. I have saved both access

I am using iOS ADAL library version 2.2.6 and receiving refresh token upon successful login. Now I want to make a silent call by using this refresh token. I tried with following method but it fails to return the access token. ADAuthenticationContext *authContext; [authContext acquireTokenSilentWithResource:resourceId clientId:clientId redirectUri:redirectUri userId:strUserID //loggedIn userID completionBlock:^(ADAuthenticationResult *result){ // It alway throws an error //Please call the non-silent acquireTokenWithResource methods. if(result.error){ ADAuthenticationError *error = nil;

I was reading the documentation on the Auth0 site regarding Refresh Tokens and SPA , and they state that SPA's should not use Refresh Tokens as they cannot be securely stored in a browser, and instead use Silent Authentication instead to retrieve new Access Tokens. A Single Page Application (normally implementing Implicit Grant) should not under any circumstances get a Refresh Token. The reason for that is the sensitivity of this piece of information. You can think of it as user credentials, since a Refresh Token allows a user to remain authenticated essentially forever. Therefore you cannot

I am using token based authentication in my application. My backend is developed using restful service(spring).The backend code is very well generating the required the access token and refresh tokens with timelines, So I have overidden the http class with following: export class customHttp extends Http { headers: Headers = new Headers({ 'Something': 'Something' }); options1: RequestOptions = new RequestOptions({ headers: this.headers }); private refreshTokenUrl = AppSettings.REFRESH_TOKEN_URL; constructor(backend: ConnectionBackend, defaultOptions: RequestOptions,private refresh