How renewal/Refresh JWT (Json Web Token) token get expired after that angular project not interactive for 15 minutes

Question

I have an angular project that I registered JWT token as the Authentication service to Server-Side Project ASP.Net Core API, something like this

Startup.cs

public void ConfigureServices(IServiceCollection services)
        {

 services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = "JwtBearer";
                options.DefaultChallengeScheme = "JwtBearer";
            })
            .AddJwtBearer("JwtBearer", jwtBearerOptions =>
            {
                jwtBearerOptions.TokenValidationParameters =
              new TokenValidationParameters
              {
                  ValidateIssuerSigningKey = true,
                  IssuerSigningKey = new SymmetricSecurityKey(
                  Encoding.UTF8.GetBytes(jsonWebToken.Key)),
                  ValidateIssuer = true,
                  ValidIssuer = jsonWebToken.Issuer,

                  ValidateAudience = true,
                  ValidAudience = jsonWebToken.Audience,

                  ValidateLifetime = true,
                  ClockSkew = TimeSpan.FromMinutes(
                         jsonWebToken.MinutesToExpiration)
              };
            });
        }

and I defined ClockSkew (or MinutesToExpiration) for 15 minutes, So this JWT token always be expired after 15 minutes regardless that user works on application (active) or not (no interactive).

but I just looking for a solution that jwt token get expired after 15 minutes that user not active (no any interactive with UI)

So I think it means some how renew the expiration time for more (for next) 15 minutes, but I can not handle it.

So my question is, how I can renew/modify the expiry time in front-end token (that I Stored it on Local Storage) after each request response from server.

Thank you in advance for your help in this matter.

Answer 1

Since you are using a JWT, modifying the expiry time will result in the change of the token itself. Even if you do that, the user could theoretically still continue to use the "older" version of the JWT as long as its expiry time has not been reached yet (this should not be a problem as such unless you decide to change some other info in the JWT payload as well) - while this works, it's not really a clean solution to the problem. So what I suggest is that you don't use JWT tokens, and just use "Opaque" tokens. Or if you must use JWT, then:

• Use two tokens: a non-JWT token (let's call it refresh token), and one JWT access token.

• The lifetime of the access token < 15 mins, and the lifetime of the refresh token = 15 mins.

• Send the access token for each API call for authentication. If it has expired, then send the refresh token to a special endpoint to obtain a new access token and extend the life of the refresh token by 15 mins (remember, refresh token is not a JWT, so its value will not change). If the refresh token has expired too, then the user must login again.

If you want more security in terms of detecting token theft (only possible if using both these tokens), you can also change the refresh token each time it's used - see https://www.rfc-editor.org/rfc/rfc6819#section-5.2.2.3. But doing so is not trivial (see https://hackernoon.com/the-best-way-to-securely-manage-user-sessions-91f27eeef460)

Also, I noticed that you use localstorage to store session tokens - Personally I feel this is not a very good idea since it opens up your code to XSS attacks. I know that storing the tokens in cookies opens them up for CSRF attack, but I believe that's more easy to handle + if you want most security, you could have some part of the auth tokens stored in localstorage, and some part in cookies (secure & HttpOnly) - this way, both those attack types will be useless.

To know more about session security, specifically to do with JWTs, see this blog post: https://hackernoon.com/all-you-need-to-know-about-user-session-security-ee5245e6bdad

Also, full disclosure, I am the author of this blog post and a library I have been working on that provides an end-to-end, super secure session management solution. While it's not yet implemented for .Net, I will be happy todo so depending on your use case. Here is the link to the GitHub repo for an implementation: https://github.com/supertokens/supertokens-node-mysql-ref-jwt

I hope this answer helps.

Answer 2

Please take a look at ng-idle/keepalive there is even a video tutorial on youtube made by programmingwithnaveen https://github.com/programmingwithnaveen/Session-Timeout