Reputation: 157
JSON Web Token Implementation: access and refresh token
I am about to implement an authentication system that uses the JSON Web Token(JWT) approach. I read online multiple approaches taken but they seem to always be slightly different than the on I'm thinking on using.
The approach I am thinking of is:
A user logs in causing the server to create a refresh token and an access token. (The Refresh token consists of an id and an expiry date, and the access token is a JWT valid for 15 minutes that contains the refresh token id)
The user can make several successful requests using the access token until it expires
Once the user does a request with an expired token, the server checks if the refresh token id contained within the expired access token matches the current refresh token
If it matches, change the refresh token id and create a new access token containing the new refresh token id
If it doesn't match, ask for authentication
I believe that this approach has the following advantages:
it doesn't require the client to deal with the refresh token directly
a DB or cache request has to be done only once every 15 minutes to check on the refresh token
it allows the application to terminate a session by removing the refresh token from the DB or cache.
the server will create only one access token that matches a refresh token. Once the access token is renewed, using it again will not cause another refresh action
Could anyone comment on this? Is this a good approach?
Upvotes: 1
Views: 886
Answers (1)
Reputation: 39291
The objective of refresh tokens is allow applications to obtain a new access token without re-authenticate minimizing the effect of a stolen token. If you allow to renew automatically including a refresh ID in the token itself, you are in fact extending the lifetime of the token without deliberately requiring the refresh token
An attacker who stoles a JWT could indefinitely impersonate user until the user performs a new access and ID does not match.
I think it is more secure to obtain a new access token before it expire using specifically the refresh token
Upvotes: 1
Related Questions
- JWT Authorization and Refresh token in .NET 5 Web API
- JWT authentication & refresh token implementation
- How to implement Json Web Token (JWT) effectively?
- Json Web Token JWT
- JSON web token auth logic with refresh tokens
- JSON Web Tokens: Refresh and Access
- Correct usage of JSON Web Tokens
- Understanding JSON Web Token (JWT) in context of web authentication
- JSON Web Tokens & OAuth
- Json Web Token + User Authentication