Reputation: 6242
How refresh token works (with jwt)
I am using jwt to provide authorization for a user to perform actions on my app. It works great as I don't have to hit the database to see if the user is valid. The problem I face with jwt is that when the token expires the user has to log in again. Reading on the internet I have been reading that refresh tokens can be used to solve this problem but there is no idiot proof explanation on how it works. How do they work? Is database access required?
Upvotes: 1
Views: 783
Answers (1)
Reputation: 2430
There isn't a hard and fast rule on exactly how refresh tokens work.
The idea of a refresh token is a long lived token of some sort that can be exchanged for a new JWT access token in the future. This allows the client to request a new JWT access token for the user without the user having to authenticate manually.
It is entirely possible to hand out refresh tokens that are also JWTs, which allows you to validate the refresh token and grant a new JWT access token without hitting the database as you requested. It is also possible for the refresh token to be a opaque string that you look up in the database.
The drawback to handing out long-lived JWT refresh tokens is that they are harder to revoke. It is possible to keep a list of revoked refresh tokens in memory that can be checked before granting new access tokens, but that removes the "stateless" nature of them.
Upvotes: 3
Related Questions
- JWT refresh token flow
- Is a Refresh Token really necessary when using JWT token authentication?
- What's the whole point of a JWT refresh token?
- How refresh tokens add security to jwt?
- JWT authentication & refresh token implementation
- JWT refresh token. Can it be self contained?
- Why use JWT refresh token
- Refresh tokens and JWT tokens Interaction
- How to use refresh tokens in jwt authentication
- Security - JWT and Oauth2 (refresh token)