Victor Alexandrov

Hi! Do you have any working build for this feature? I would be very grateful if you could provide me branch name or link to bould from. I'm also trying...

Discussed here https://ory-community.slack.com/archives/C012RBW0F18/p1618509467183800

Exact same scenario is desribed in a draft of browser-based app (SPA) security considerations while using refresh tokens here https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07#section-8 Additional information on the topic could be found here https://auth0.com/blog/securing-single-page-applications-with-refresh-token-rotation/...

1. I do not request removal of `offline_access` support and hence breaking the certification, of course! 2. The linked blog post explains the need for refresh tokens in an SPA...

At the moment getting a refresh token allows SPA to indefinitely, regardless of login/consent expiration, have access to my API or (in case of token misuse/XSS in SPA) allows adversary...

>Are you looking at a first-party use case for your SPA? This could be either first- or third-party case, the main point is that SPA developer is not trusted to...

>Instead I would propose that we allow you to configure if the refresh tokens should have a rolling expiry window (so every new refresh token resets the expires at time)...

>Silent refresh is on the way out as it relies on iframes, which does not work well cross-domain - one of the major reasons for using OpenID Connect! This is...

You should save it in BGMDriver or periodically (or on event?) transmit volume/pan settings from app to driver, because if an app is started after saved settings are transmitted/applied the...

Same issue #331