I am building a project which needs authentication obviously. I really liked the concept of refresh tokens and access tokens as it takes off load from the server and really awesome. But then I faced the issue of refresh token getting expired after some time and looking for solution, I came across an article from auth0 about refresh token rotation. It is also a really cool concept but I felt like it kills the concept of using JWT because you have to get a new refresh token every few minutes. So I thought of a solution which is like a mix of both of these approaches and I need your help if it is safe to pursue this idea and what are possible risks and their solutions.

Reference:- refresh token rotation

refresh token has expiry of e.g. 10 days and access tokens can be generated with the help of the refresh token. The Backend will keep record of all the previous refresh tokens issued in a family. The user can request to renew the refresh token e.g. 2 days from expiry but cannot renew 5 days from expiry. Now the old refresh token can still be used to generate access tokens until it expires, but it cannot be used to create a new refresh token. The new refresh token can also be used to generate access tokens and can be used to create new refresh token between 2 days from expiry. Because the backend is keeping record of the old refresh tokens, if someone tries to renew the refresh token with the old one, the whole family of refresh tokens is invalidated including the new one because server doesn't know which one is the genuine user. The server also keeps blacklisted refresh tokens so that the newly issued refresh token cannot be used to generate access tokens. Both the genuine and malicious user are logged out and revoked access. work flow of this idea