Should I explicitly send the Refresh Token to get a new Access Token - JWT

spring-boot spring-security jwt access-token refresh-token
vigamage picture vigamage · Jul 7, 2017 · Viewed 14k times · Source

In my application, I return an access token and a refresh token when a user logs in successfully. The expiration times for access and refresh token have been set to 10 and 40 minutes respectively. (I should do some more research on those values. This is just for testing)

I used the implementation described in following article

http://www.svlada.com/jwt-token-authentication-with-spring-boot/

Let's say I invoke a request to the server after 10 minutes of the login in. Since the access token is expired, I am getting 401 error response.

However, as a beginner, I find it difficult to understand whether I need to send the refresh token explicitly in order to obtain a new access token. If I should do so, how to do that? I should send the refresh token as what? a header?

Or else, when my request is rejected by the server since the access token is expired, should the refresh token itself send a request automatically to the server in order to obtain a new access token?

I found it hard to understand the nature of the behavior of refresh token from the resources I found on the net. Kindly clarify me on these questions.

Answer

jps picture jps · Jul 7, 2017

Yes, the refresh token is used to obtain a new access token.

When you request the access token for the first time, you usually start by sending a token request to the token endpoint, in case of the so called Resource Owner Password Credentials Grant with user credentials in the request header, e.g.

grant_type=password&username=user1&passowrd=very_secret

when the access token is expired, you have to request a new access token. This time, with a refresh token which is still valid, you don't need the user credentials again but send

grant_type=refresh_token&refresh_token=<your refresh token>

instead. This way you don't need to store the user credential on client side and don't need to bother the user again with a login procedure. As you know the expiry time, you can also implement a mechanism to refresh your token before the access_token is expired.

Additionally you can read this for further information about the topic: https://auth0.com/learn/refresh-tokens/

In the following tutorial is also a screenshot of how to use refresh token in postman: http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ (scroll down to step 6) Generally I can recommend reading Taiseer Joudeh's tutorial, esp. for C#, ASP.NET uand Angular programmers.

Related questions

Extract Currently Logged in User information from JWT token using Spring Security

I have implemented JWT and LDAP Authentication using Spring Security Oauth2. It seems to be working fine and I can login with my LDAP credentials. Now, there is one requirement that I need to use the currently logged in user …

Read More
Accessing a Spring OAuth 2 JWT payload inside the Resource Server controller?

I'm going through this tutorial on how to setup spring boot oauth with jwt. It covers decoding the JWT token using Angular, but how do we decode it and get access to custom claims inside the Resource Server controller? For …

Read More
How to configure CORS in a Spring Boot + Spring Security application?

I use Spring Boot with Spring Security and Cors Support. If I execute following code url = 'http://localhost:5000/api/token' xmlhttp = new XMLHttpRequest xmlhttp.onreadystatechange = -> if xmlhttp.readyState is 4 console.log xmlhttp.status xmlhttp.open "GET", url, true # …

Read More