diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_refresh.adoc b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_refresh.adoc index 3b91e0bfa..571bfcc21 100644 --- a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_refresh.adoc +++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_refresh.adoc @@ -63,15 +63,15 @@ whether the location is still the same if not revoke all the tokens and let the === Need for refresh tokens Does it make sense to use a refresh token in a modern single page application (SPA)? As we have seen in the section -about storing tokens there are two option: web storage or a cookie which mean a refresh token is right beside an -access token, so if the access token is leaked changes are the refresh token will also be compromised. Most of the time -there is a difference of course, the access token is send when you make an API call, the refresh token is only send +about storing tokens there are two options: web storage or a cookie which mean a refresh token is right beside an +access token, so if the access token is leaked chances are the refresh token will also be compromised. Most of the time +there is a difference of course. The access token is sent when you make an API call, the refresh token is only sent when a new access token should be obtained, which in most cases is a different endpoint. If you end up on the same -server you can chose to only use the access token. +server you can choose to only use the access token. As stated above using an access token and a separate refresh token gives some leverage for the server not to check the access token over and over. Only perform the check when the user needs a new access token. -It is certainly possible to only use an access token, at the server you store the exact same information you would +It is certainly possible to only use an access token. At the server you store the exact same information you would store for a refresh token, see previous paragraph. This way you need to check the token each time but this might be suitable depending on the application. In the case the refresh tokens are stored for validation it is important to protect these tokens as well (at least use a hash function to store them in your database).