Reputation: 2369
What is the point of refresh token in jwt?
Please don't mark as duplicate I came through a lot of questions like this but still I didn't get the point of refresh token. Some of the reason they said are:
- If an attacker gets the access token it will expiry soon
But where I am confused is if the attacker was able to get the access token why they wouldn't be able to get the refresh token (both of them needed to access token by JS to sent request so they needed to store in local storage)
- If the attacker gets the refresh token we can block it in server.
But we can also block the access token in server right. (with DB)
Note I am not talking about OAuth refresh token, because as per the answers I read,
The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it.
Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token.
So it makes sense here but what about JWT?
Upvotes: 5
Views: 3044
Answers (3)
Reputation: 1
One way in which an update of the authentication token can be carried out through another and without exposing it to client applications (avoiding its use in a malicious way), is to store it in a cache system such as REDIS and in the When the request token has expired, check in storage if the user has a refresh token that allows him to regenerate the authentication. This could be implemented within the same middleware that validates the token that accompanies the request or in an endpoint intended for this purpose.
Upvotes: 0
Reputation: 520878
The refresh token allows the client to make a call and ask for a new access token. For setups where the access token does have a certain expiry, the refresh token will typically have an expiry which is later than the access token itself. Here is a typical workflow using access and refresh tokens:
- The client authenticates to the server via 1FA or 2FA
- The server responds with an access token having an expiry in 5 minutes, along with a refresh token which expires a minute later
- The client then uses the access token as needed.
- When authentication fails using the current access token, under the hood the client will take the refresh token and hit the server to get a new access token. We then go to step #2 above and recycle.
Note that for certain instances, the refresh token is not needed. One example would be sites like Stack Overflow, which uses token which never expire. Another example would be certain high security sites such as banking sites. In these cases, the site might force you to reauthorize via 1FA/2FA in order to keep the session going.
Upvotes: 1
Reputation: 99505
Typically the access token gets sent with every request, and to your API.
Typically a refresh token only gets sent once, immediately expires after use and only goes to your authentication server. All these measures generally reduce risk.
JWT and OAuth2 can be used together, and it's highly recommended to use OAuth2 instead of trying to write something from scratch.
I talk a bit more about the pitfalls in my article: https://evertpot.com/jwt-is-a-bad-default/
Upvotes: 1
Related Questions
- Is a Refresh Token really necessary when using JWT token authentication?
- What's the whole point of a JWT refresh token?
- Why should I store a JWT refresh token server-side?
- JWT: why do I need a refresh token?
- JWT authentication and the purpose of refresh token
- How refresh tokens add security to jwt?
- What is the usefulness of the refresh token?
- Why should refresh tokens be saved in the server side?
- Why use JWT refresh token
- How to use refresh tokens in jwt authentication