CODEWITHSUNDEEP
securityjwtmicroservices
Mike
Mike

Reputation: 282

Handling JWT and Refresh token flow

I am building a front end built in react that accesses multiple microservice apis that I am also building. For auth I have built a jwt login system but was wondering what is the process of handling refresh tokens.

  1. Is the refresh token inside the jwt with the user info or is it in its own token with a different encryption for extra protection?

  2. If it is in its own token what should the other micro services respond with to the react app if the jwt is invalid and needs to be refreshed. Is there a common http status code used?

  3. I have read that a refresh token should be more secure then your jwt cause it can be used to issue jwts and will have a longer active time. Is there any extra security past encryption that can be done server side or client side that isnt already done for jwts?

  4. When should you refresh the refresh token with a new token and timestamp that it becomes invalid?

Upvotes: 3

Views: 2156

Answers (1)

pedrofb
pedrofb

Reputation: 39291

Is the refresh token inside the jwt with the user info or is it in its own token with a different encryption for extra protection?

If you are asking about refresh tokens as defined in Oauth2, a refresh token is returned by authorization server after a successful user authentication. It is just a random string. With a refresh token, the client can get access tokens ( your JWT)

If it is in its own token what should the other micro services respond with to the react app if the jwt is invalid and needs to be refreshed. Is there a common http status code used?

They must reject the request. Use 401- Unauthorized

I have read that a refresh token should be more secure then your jwt cause it can be used to issue jwts and will have a longer active time. Is there any extra security past encryption that can be done server side or client side that isnt already done for jwts?

Use https to get the refresh tokens. Aditional encryption will not increase the security level because possesion of the token is the proof-of-authentication. But you need to keep it secure

When should you refresh the refresh token with a new token and timestamp that it becomes invalid?

Depends on the system. Oauth2 does not specify it. Usually are long lived but in some cases I have seen recommendations to renew it after each usage.

Upvotes: 3

Related Questions