JWT refresh token flow

jtmarmon picture jtmarmon · Dec 31, 2014 · Viewed 103.6k times · Source

I'm building a mobile app and am using JWT for authentication.

It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want.

  1. What does a refresh token look like? Is it a random string? Is that string encrypted? Is it another JWT?
  2. The refresh token would be stored in the database on the user model for access, correct? It seems like it should be encrypted in this case
  3. Would I sent the refresh token back after a user login, and then have the client access a separate route to retrieve an access-token?

Answer

Bhupinder Singh picture Bhupinder Singh · Jan 26, 2019

Below are the steps to do revoke your JWT access token:

  1. When you do log in, send 2 tokens (Access token, Refresh token) in response to the client.
  2. The access token will have less expiry time and Refresh will have long expiry time.
  3. The client (Front end) will store refresh token in his local storage and access token in cookies.
  4. The client will use an access token for calling APIs. But when it expires, pick the refresh token from local storage and call auth server API to get the new token.
  5. Your auth server will have an API exposed which will accept refresh token and checks for its validity and return a new access token.
  6. Once the refresh token is expired, the User will be logged out.

Please let me know if you need more details, I can share the code (Java + Spring boot) as well.

For your questions:

Q1: It's another JWT with fewer claims put in with long expiry time.

Q2: It won't be in a database. The backend will not store anywhere. They will just decrypt the token with private/public key and validate it with its expiry time also.

Q3: Yes, Correct