UNSOLVED Is it sefe to get access to GET /api/jwt/refresh?userId={userId} method?



  • I can get all refresh tokens for user if I know the user id and API authorization key. Everybody can see authorization key. User id is data that never expires, can be stolen and does not have confidential character. Why do we have this method? I think it is easy way to get token for any user...



  • Hiya,

    When you say

    Everybody can see authorization key.

    Who do you mean? Do you mean anyone with access to the FusionAuth admin console? Or some other set of users?


Log in to reply
 

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.