Konubinix' opinionated web of thoughts

Use Differents Kinds of Scope


use differents kinds of scope for access token

For the day to day stuff in OAuth 2.0, use a very long lived refresh token with a very small scope.

For the critical stuff, ask for a more critical scope and don’t provide refresh token.

That way, the day to day use is straight forward and the critical stuff needs to login again.

see security vs usability

Notes pointant ici