Hashing Refresh Tokens #11
-
|
I have an app where a user can login using their email and password. The password is hashed using Argon2id in the DB. A stateless JWT accessToken and a refreshToken that is a value generated from SecureRandom.GetString() is returned as the response. The client would then store both tokens in cookies. The refreshToken is stored in the DB as the primary key along with an expiration date. The randomly generated value will be visible in the browser in the cookies list. The value is generally longer than most passwords would be. It can be used to request a new accessToken via a /refresh endpoint. In the DB, I'd like to hash the refreshToken value. I see Blake2b isn't recommended for passwords. Would you consider a refreshToken a password? Would you recommend using Argon2id or Blake2b for the refresh token hash? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Because the refresh token is randomly generated and sufficiently long to be high in entropy, using BLAKE2b is fine. You don't need a slowdown or a salt in this scenario so Argon2id is unnecessary. Good luck with your project. |
Beta Was this translation helpful? Give feedback.
Because the refresh token is randomly generated and sufficiently long to be high in entropy, using BLAKE2b is fine. You don't need a slowdown or a salt in this scenario so Argon2id is unnecessary. Good luck with your project.