JWT refresh token flow

Question

I m building a mobile app and am using JWT for authentication   It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want    What does a refresh token look like  Is it a random string  Is that string encrypted  Is it another JWT  The refresh token would be stored in the database on the user model for access  correct  It seems like it should be encrypted in this case Would I sent the refresh token back after a user login  and then have the client access a separate route to retrieve an access-token

User · Accepted Answer

Assuming that this is about OAuth 2 0 since it is about JWTs and refresh tokens       just like an access token  in principle a refresh token can be anything including all of the options you describe  a JWT could be used when the Authorization Server wants to be stateless or wants to enforce some sort of  proof-of-possession  semantics on to the client presenting it  note that a refresh token differs from an access token in that it is not presented to a Resource Server but only to the Authorization Server that issued it in the first place  so the self-contained validation optimization for JWTs-as-access-tokens does not hold for refresh tokens that depends on the security access of the database  if the database can be accessed by other parties servers applications users  then yes  but your mileage may vary with where and how you store the encryption key     an Authorization Server may issue both access tokens and refresh tokens at the same time  depending on the grant that is used by the client to obtain them  the spec contains the details and options on each of the standardized grants

User · Answer

Based in this implementation with Node js of JWT with refresh token   1  In this case they use a uid and it s not a JWT  When they refresh the token they send the refresh token and the user  If you implement it as a JWT  you don t need to send the user  because it would inside the JWT   2  They implement this in a separated document  table   It has sense to me because a user can be logged in in different client applications and it could have a refresh token by app  If the user lose a device with one app installed  the refresh token of that device could be invalidated without affecting the other logged in devices   3  In this implementation it response to the log in method with both  access token and refresh token  It seams correct to me

User · Answer

Below are the steps to do revoke your JWT access token   When you do log in  send 2 tokens  Access token  Refresh token  in response to the client  The access token will have less expiry time and Refresh will have long expiry time  The client  Front end  will store refresh token in his local storage and access token in cookies  The client will use an access token for calling APIs  But when it expires  pick the refresh token from local storage and call auth server API to get the new token  Your auth server will have an API exposed which will accept refresh token and checks for its validity and return a new access token  Once the refresh token is expired  the User will be logged out   Please let me know if you need more details  I can share the code  Java   Spring boot  as well  For your questions  Q1  It s another JWT with fewer claims put in with long expiry time  Q2  It won t be in a database  The backend will not store anywhere  They will just decrypt the token with private public key and validate it with its expiry time also  Q3  Yes  Correct

[security] JWT refresh token flow

Examples related to security

Examples related to authentication

Examples related to oauth-2.0

Examples related to jwt