I'm trying to figure out the proper flow and usage of Refresh Tokens with respect to the OAuth2 spec and I am completely stumped on how a specific use-case is supposed to work.
My main issue is, if I receive a refresh token from some OAuth provider (in this case Google), I have two problems I don't know how to solve:
- How do I persist the refresh token securely so that it can be used to obtain new tokens to keep a user logged in?
- How do I determine who the user is who needs a refresh token? I can't just have an endpoint that takes in old tokens or email addresses to issue a refreshed token because that seems incredibly dumb.
Quick image detailing oauth flow I am referring to
I believe I am considering some small implementation details incorrectly and I just don't want my backend API to be open to some massive security hole if I can prevent it by asking the helpful people of StackOverflow how this is actually supposed to work.
I should add that the only solution that seems semi-plausible is using some sort of timed refresh mechanism but that would involve having access to the refresh-token on the frontend, which I am trying to avoid since that in itself seems like a security risk.
I am concerned about best practices here, so if my entire implementation is flawed and I should be doing X instead of Y or Z then I'm open to suggestions too.
Thanks for your time,
Ses
