TL;DR If you have very simple scenarios, like a single client application, a single API then it might not pay off to go OAuth 2.0, on the other hand, lots of different clients (browser-based, native mobile, server-side, etc) then sticking to OAuth 2.0 rules might make it more manageable than trying to roll your own … Read more
I too have been researching this question, and while none of the ideas below are complete solutions, they might help others rule out ideas, or provide further ones. 1) Simply remove the token from the client Obviously this does nothing for server side security, but it does stop an attacker by removing the token from … Read more
I work at Auth0 and I was involved in the design of the refresh token feature. It all depends on the type of application and here is our recommended approach. Web applications A good pattern is to refresh the token before it expires. Set the token expiration to one week and refresh the token every … Read more