Awesome and easy to understand! Thank You Very Much! I do have one question though, that I can't seem to find the answer to. For refresh token rotation, is it a sliding rotation? Meaning when I get a new refresh token is the expiration pushed back further than the initial expiration? Or is there a way to configure it to, regardless of how many refresh tokens I get, have a combined expiration of... let's say 30 days?
What happens if refresh token was played by hacker before real user needs it? So the hacker gets the new 2nd access token. So silly 😂. The whole opened has a flaw! The persistence of the token should be on the SP side so not post them and stop. Not the IDP checking later. Which is pure useless
Awesome and easy to understand! Thank You Very Much! I do have one question though, that I can't seem to find the answer to. For refresh token rotation, is it a sliding rotation? Meaning when I get a new refresh token is the expiration pushed back further than the initial expiration? Or is there a way to configure it to, regardless of how many refresh tokens I get, have a combined expiration of... let's say 30 days?
Thanks for your question! Let us do some research and get back to you, please 🙏
Sir, thanks you very much ,I have been searching for long for this😂 ...
From India 🇮🇳 ♥️
Awesome viedo! However, I wonder if the token family break the server stateless?
Thank you! It helped me a lot
Glad to hear that!
Clearly explained. Thanks. But, but how can a beginner get an example of using Okta and spring boot 3 microservices?
@Matt Raible Thanks.
@OktaDev Thanks. But you know if there any major changes I should be aware of, in case I want to use Okta with a spring boot 3 application?
Thanks for your feedback. We don't have content on Spring Boot 3 yet but we'll keep that in mind as a topic to tackle.
What happens if refresh token was played by hacker before real user needs it? So the hacker gets the new 2nd access token. So silly 😂. The whole opened has a flaw! The persistence of the token should be on the SP side so not post them and stop. Not the IDP checking later. Which is pure useless
I see the whole flow bullshit, next years must be a much better way for doing this. current methods are so ridiculous