How should a JavaScript application validate an access_token issued by IdentityServer4?

Question

For example, suppose I want to determine if a user is still "logged in"... AKA their token is not yet expired.

I store my JWT access_token in localStorage when I am first issued the access_token. I know it isn't enough to simply check the localStorage to see if the access_token is there or not. I read about the introspection end point but that seems like it is for API's - not JS clients. Is the best approach to use a client side library for JWT validation? I don't like this because there is a chance I may need to switch to reference tokens. I would like to make a call to the server side for this.

What is the correct way to validate an access_token with a JavaScript client?

Update: Upon further investigation and with advice from leastprivilege I will be using the OIDC JavaScript client so I don't need to worry about this.

Answer 1

Client applications are not supposed to "decode" an access token. The exact format is an implementation detail between issuer and API.

When requesting an access token, the token response contains an 'expires_in' parameter that tell the client for how many seconds the token is valid.

Answer 2

This library might be useful to you: oidc-client-js. Some documentation is available here.

Answer 3

Most jwt tokens come with an expiry date field for expiration time(depending on the server though). You can use a library like this to decode a JWT token before saving it into your local storage and then save the expiration time inside with the token so that you can just check the local storage and the expiry time and if the current day is grater than the expiry time, you discard the previous token and get a new one.