Xamarin.iOS / Web API JWT refresh token if it expires

Question

I have a Web API that provides the user all the data that needs to be shown on my mobile application.

OWIN JWT Authentication is implemented and it's working properly. There's an endpoint /oauth2/token which provides the user a token and all the endpoints has [Authorize] attribute filter to validate it.

The token expiration is set to 5 minutes.

Login session is maintained through a separated SESSION-ID which is stored into the Keychain and also server-side to check the active session. Everytime a user login inside the application a new token is generated and the user can access API methods to get data.

The question

What if the user leave the application opened for more than 5 minutes (Token expiration time)? The token will not be available since it has expired, how can I refresh it? And when should I refresh it?

I read about refresh tokens but not sure how to handle them (Is thist the right choice?), since the [Authorize] attribute will just reject my call if the token has expired, without providing an expiration message, I can't understand when it is an expired token or an invalid one.

Answer 1

What if the user leave the application opened for more than 5 minutes (Token expiration time)? The token will not be available since it has expired, how can I refresh it?

If I understand right, you set The token expiration to 5 minutes, that means if the user leave the application opened for more than 5 minutes, the token is no longer valid. Actually the user has to relogin to get the new token.

So back to your question, at the moment the token is expired, my advice is you can present the loginPage and tell user that he has to login again to use the app.

I don't know if there is another way to get a new token, if there is one, use may not have to relogin,.

Also, I found a thread that may help: webapi-2-0-how-to-implement-refresh-jwt-token-when-access-token-expired