Create refresh and access token jwt using java

Question

I am using jjwt to create token using the documentation on github https://github.com/jwtk/jjwt#specification-compliant

I understood that I have to create a refresh token store it on my database and use it to create an access token for the user. But I don't find a simple example to help me to understand how to code it. I am able to create a token following the github documentation but i don"t know how to create a refresh token and then an access token using my refresh one.

I am using java on android studio and as back up api using App Engine Java servlet module

Answer 1

Well, it has been a long time, but I think neither of already posted answers actually addresses the original question. Let me handle it:

You should understand, that, technically speaking, your Refresh Token could be anything. Let me explain: you need Refresh Token just to later on reissue an Access and Refresh tokens pair. In most cases, you should store your Refresh Token in database (or in-memory Cache, like Redis). Technically you do not obligated to sign a Refresh Token, or encrypt it. Do the following:

1. Generate Access Token (and of course, it must be signed)

2. Generate Refresh Token the way you want. It can be almost the same JWT, but with far more extended TTL (Time to live). Store it in some data storage, again depends on your requirements

3. Once the Access Token get expired, the Client, to which you have issued tokens, come to you with the Refresh Token you have generated on the step 2. You will pull Refresh Token you have saved on the previous step, check for their equality. If everything is alright (Refresh Tokens matches) - repeat procedure from the first step. That is it.

Hope it helped

Answer 2

even that it has been a long time since then:

You have 2 tokens: one that expires fast (token) and one that expires after a very LONG TIME (refresh token).

The reason for this is because refresh token is actually used very rarely and you don't send it over the network so often. if you send a token very often over the network you have to make it expire fast (it's up to you to decide how long a token lives 30 mins/1 hour/2 days).

When the JWT token where you store the data has expired you use the refresh token (from client side which should be stored securely) and get another token that you send very often over the network.

The flow should be like this:

1. login with credentials => get token (2hours expiry) and refresh token(30 years expiry);
2. client stores both tokens securely
3. token expired
4. using refresh token make a request and get another token that expires in 2 hours
5. refresh token expires after 30 years - logout the user

The refresh token is just used to not put the user insert credentials again

Answer 3

Creating a refresh token is just creating a "normal" token with new (refreshed) data (claims) in it.

It only makes sense if your claims that the server issues change over the time like e.g. the expiration time. Obviously only the token issuer (I assume the server in your case) can refresh the tokens and client needs to poll for them or the server needs to notify the client.

On the server just create the new token with a future expiry time filled in:

Calendar cal = Calendar.getInstance(); // creates calendar
cal.setTime(new Date());
cal.add(Calendar.HOUR_OF_DAY, 1);
cal.getTime();

String compactJws = Jwts.builder()
  .setSubject("Joe")
  .setExpiration(cal.getTime();) // set expiration to e.g. one hour in the future
  .signWith(SignatureAlgorithm.HS512, key)
  .compact();

Hint: you cannot invalidate JWT tokens apart from putting them on a central blacklist what kind of cannibalizes the concept of JWT.