JWT refresh token flow

by

Below are the steps to do revoke your JWT access token:

  1. When you do log in, send 2 tokens (Access token, Refresh token) in response to the client.
  2. The access token will have less expiry time and Refresh will have long expiry time.
  3. The client (Front end) will store refresh token in his local storage and access token in cookies.
  4. The client will use an access token for calling APIs. But when it expires, you call auth server API to get the new token (refresh token is automatically added to http request since it’s stored in cookies).
  5. Your auth server will have an API exposed which will accept refresh token and checks for its validity and return a new access token.
  6. Once the refresh token is expired, the User will be logged out.

Please let me know if you need more details, I can share the code (Java + Spring boot) as well.

For your questions:

Q1: It’s another JWT with fewer claims put in with long expiry time.

Q2: It won’t be in a database. The backend will not store anywhere. They will just decrypt the token with private/public key and validate it with its expiry time also.

Q3: Yes, Correct

More Related Contents:

  1. JWT (JSON Web Token) automatic prolongation of expiration
  2. Where to store JWT in browser? How to protect against CSRF?
  3. Best practices for server-side handling of JWT tokens [closed]
  4. If you can decode JWT, how are they secure?
  5. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  6. What is token-based authentication?
  7. Authentication versus Authorization
  8. Non-random salt for password hashes
  9. Cross Domain Login – How to log a user in automatically when transferred from one domain to another
  10. Where do you store your salt strings?
  11. SPA best practices for authentication and session management
  12. Is it safe to put a jwt into the url as a query parameter of a GET request?
  13. What’s the right OAuth 2.0 flow for a mobile app
  14. How do I store and retrieve credentials from the Windows Vault credential manager?
  15. Symfony2 extending DefaultAuthenticationSuccessHandler
  16. What are the main differences between JWT and OAuth authentication?
  17. Best way for a ‘forgot password’ implementation? [closed]
  18. OAuth2 and Google API: access token expiration time?
  19. What is the best Distributed Brute Force countermeasure? [closed]
  20. Should I hash the password before sending it to the server side?
  21. Should JWT be stored in localStorage or cookie? [duplicate]
  22. How to do stateless (session-less) & cookie-less authentication?
  23. Using Symfony2’s AccessDeniedHandlerInterface
  24. How to manually decrypt an ASP.NET Core Authentication cookie?
  25. Secure Google Cloud Functions http trigger with auth
  26. Google Authenticator available as a public service?
  27. client secret in OAuth 2.0
  28. What are best practices for securing the admin section of a website? [closed]
  29. Securing an API: SSL & HTTP Basic Authentication vs Signature
  30. is it bad to pass jwt token as part of url?

Leave a Comment