Y·04SECURITY2025.07.121 MIN READ

I Spent 3 Days Implementing 'Login with Google' (OAuth 2.0 Deep Dive)

구글 로그인 구현하다가 3일 밤샌 썰 (OAuth 2.0의 원리와 보안)

I thought adding a 'Login with Google' button would be easy. Instead, I faced Redirect URI errors, State parameters, and HTTPS issues. I share the 4-step 'dance' of OAuth 2.0, practical solutions with NextAuth.js, and how to handle mobile deep linking.

codemapo

INTERDISCIPLINARY DEV · SEOUL

8. Advanced: Refresh Token Rotation

When the Access Token expires (usually after 1 hour), the user gets logged out. To prevent this, we use a Refresh Token. But if a Refresh Token is stolen, the hacker has permanent access.

Solution: Refresh Token Rotation.

When you use a Refresh Token to get a new Access Token, the server also issues a NEW Refresh Token.
The OLD Refresh Token is immediately invalidated.
If a hacker tries to reuse the old Refresh Token, the server detects "Reuse Detection" and invalidates the entire session family (logging out both the victim and the hacker).

NextAuth.js and Supabase Auth handle this complex logic automatically. This is yet another reason why you should not build OAuth from scratch unless you enjoy reading IETF RFC documents for fun.

#Security #OAuth #Authentication #NextAuth.js #Web Development #Mobile App

← Back to List