SyntaxFix

[security] JWT refresh token flow

I'm building a mobile app and am using JWT for authentication.

It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want.

  1. What does a refresh token look like? Is it a random string? Is that string encrypted? Is it another JWT?
  2. The refresh token would be stored in the database on the user model for access, correct? It seems like it should be encrypted in this case
  3. Would I sent the refresh token back after a user login, and then have the client access a separate route to retrieve an access-token?

This question is related to security authentication oauth-2.0 jwt

The answer is

Based in this implementation with Node.js of JWT with refresh token:

1) In this case they use a uid and it's not a JWT. When they refresh the token they send the refresh token and the user. If you implement it as a JWT, you don't need to send the user, because it would inside the JWT.

2) They implement this in a separated document (table). It has sense to me because a user can be logged in in different client applications and it could have a refresh token by app. If the user lose a device with one app installed, the refresh token of that device could be invalidated without affecting the other logged in devices.

3) In this implementation it response to the log in method with both, access token and refresh token. It seams correct to me.

Below are the steps to do revoke your JWT access token:

  1. When you do log in, send 2 tokens (Access token, Refresh token) in response to the client.
  2. The access token will have less expiry time and Refresh will have long expiry time.
  3. The client (Front end) will store refresh token in his local storage and access token in cookies.
  4. The client will use an access token for calling APIs. But when it expires, pick the refresh token from local storage and call auth server API to get the new token.
  5. Your auth server will have an API exposed which will accept refresh token and checks for its validity and return a new access token.
  6. Once the refresh token is expired, the User will be logged out.

Please let me know if you need more details, I can share the code (Java + Spring boot) as well.

For your questions:

Q1: It's another JWT with fewer claims put in with long expiry time.

Q2: It won't be in a database. The backend will not store anywhere. They will just decrypt the token with private/public key and validate it with its expiry time also.

Q3: Yes, Correct

Source: Stackoverflow.com

Examples related to security

Monitoring the Full Disclosure mailinglist Two Page Login with Spring Security 3.2.x How to prevent a browser from storing passwords JWT authentication for ASP.NET Web API How to use a client certificate to authenticate and authorize in a Web API Disable-web-security in Chrome 48+ When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? How does Content Security Policy (CSP) work? How to prevent Screen Capture in Android Default SecurityProtocol in .NET 4.5

Examples related to authentication

Set cookies for cross origin requests How Spring Security Filter Chain works What are the main differences between JWT and OAuth authentication? http post - how to send Authorization header? ASP.NET Core Web API Authentication Token based authentication in Web API without any user interface Custom Authentication in ASP.Net-Core Basic Authentication Using JavaScript Adding ASP.NET MVC5 Identity Authentication to an existing project LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

Examples related to oauth-2.0

Using Axios GET with Authorization Header in React-Native App What are the main differences between JWT and OAuth authentication? How do I get an OAuth 2.0 authentication token in C# Using Postman to access OAuth 2.0 Google APIs Correct way to set Bearer token with CURL Using an authorization header with Fetch in React Native Getting "error": "unsupported_grant_type" when trying to get a JWT by calling an OWIN OAuth secured Web Api via Postman JWT (Json Web Token) Audience "aud" versus Client_Id - What's the difference? JWT refresh token flow Spring-Security-Oauth2: Full authentication is required to access this resource

Examples related to jwt

jwt check if token expired Is it safe to store a JWT in localStorage with ReactJS? Unsupported Media Type in postman How Spring Security Filter Chain works JWT authentication for ASP.NET Web API What are the main differences between JWT and OAuth authentication? RS256 vs HS256: What's the difference? How to decode jwt token in javascript without using a library? How to decode JWT Token? How to destroy JWT Tokens on logout?

Tags

Cocotron Jquery-easing Inf Hostheader Default-database Blas Jdom Openoffice-calc Secure-coding Tablename Infiniband Xargs Xss Design-time-data Quantumgrid Vsprops Differential-equations Bho Upsert Cics Windows-identity Fontmetrics Bins Tagname Let X509certificate Css-selectors Principal Squid Domdocument Gkpeerpickercontroller Web-services-enhancements Excel-2002 Gwt-compiler Phone-number Component-services Amazon-product-api Nintex-workflow Jcaps Cargo Isolation Fault-tolerance Data-dump Libreadline Context-info Win32-process Dataitem Local Wcf-callbacks Netsh Block Uitabview Masstransit Excelpackage Ora-00923 Installshield-2009 Devenv Fileloadexception Memory-corruption Ado.net-entity-data-model Proxy Cracking Phpspec Navigationbar Volumes Pbs Folder-security Notification-area Event-bubbling Repost Directshow Tinyxpath Rhino Oracle-ucm Parallel-builds Fdt Rationale Install-sequence Attachment Createthread Non-scrolling Protobuf-net Css-friendly Database Tamil Template-control Spgroup Jdesktop Nsviewanimation Ora-12154 Flash-cs5 Intel-atom Datagridviewcheckboxcell Monitor Impromptu Mplayer Cakephp Oracleclient Directory-listing Pydev