I recently implement JWT Auth with DotNet core Identity.
I know to reduce the number of authentication to get Access-Token (when it expires in a short time to aim more security) we use Refresh-Token to renew access-token instead of Re-authentication.
I think if a man-of-the-middle try to stole Refresh-Token to get new Access-Token and make a request (hijack token) how the system could find it and reject the request?
I mean is there a solution if JWT has stolen by someone to impersonate, server recognize it and reject it? (I know SSL could help but I am thinking about other ways. for example, encrypt JWT by time and Ip or .... ?)