Proper JWT authentication architecture and flow

Question

I'm building an app that has a frontend for both iOS and Android, and a Backend composed of a Flask API and a MySQL database.

Right now, our authentication uses JWT. Except that I'm not sure I totally understand how it is supposed to work.

I don't know where to find the specifications for JWT, so when I say JWT I simply mean a JSON payload encrypted using the PyJWT library.

Currently, the expiration of the tokens happens 6 months from their creation. I feel like this is a rather insecure setup.

From all the examples I've seen, JWTs have a very short lifetime, and then there's some sort of "refresh token" that renews it.

But that's all I know. I don't understand it well enough to code it in Python.

Could someone please help explain what this refresh token is, what exactly it does, how it is created, etc.?

UPDATE:

As for the specifications for JWT, I read this: https://www.rfc-editor.org/rfc/rfc7519

It doesn't mention any refresh tokens.

So now my question is, is what I'm doing secure enough?

Is it worth it to have a logout API endpoint that sends the token and adds it to a blacklist, so no one can steal it?

Answer 1

Six months for a JWT is way too high and unsecure. You might want to keep it a few hours or a day max. Along with that, have a long lived refresh token (RT), which you can use to keep getting new JWT. The function of the refresh token is to maintain a long lived session (so that the user can be logged in for a long period of time), to detect token theft (if you keep changing the RT on each use) - since you mentioned stealing, and to enable you to use short lived access tokens (since those are exposed over the wire most frequently). And yes, blacklisting JWTs can be a good idea, but if you are keeping them short lived, then why do that?

This topic is quite vast and complex. You can refer to my blog post about this - it provides information about all session flows, their security and also has an end-to-end implemented library.