search

kataras / jwt

A fast and simple JWT implementation for Go
MIT License
204 stars 19 forks source link

How to refresh jwt token? #1

Open daheige opened 4 years ago

daheige commented 4 years ago

https://github.com/kataras/jwt#token-pair How to refresh jwt token? From this help document, it seems that I don't see how to use it. Can you give a specific http web demo or how to refresh the token.

kataras commented 4 years ago

There is no example on refresh tokens in this repository because there are different strategies for that. If you see the README's References section's link you can follow some articles about it. Instead, we have a simple example at: https://github.com/kataras/iris/tree/jwt-new-features/_examples/auth/jwt/refresh-token.

In-short:

Sign access, refresh tokens and generate a pair which sent to the client

func generateTokenPair() jwt.TokenPair {
  // Simulate a user...
  userID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"

  refreshClaims := jwt.Claims{Subject: userID}

  accessClaims := UserClaims{
    ID:       userID,
    Username: "kataras",
  }

  accessToken, err := jwt.Sign(alg, secret, accessClaims, 5 * time.Minute)
  refreshToken, err := jwt.Sign(alg, secert, refreshClaims, 1 * time.Hour)

  tokenPair := jwt.NewTokenPair(accessToken, refreshToken)
  return tokenPair
}

Create a handler on /login and send the result of that token pair.

The refresh operation (there are other strategies though)

currentUserID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"
refreshToken := take from header...

verifiedToken, err := jwt.Verify(alg, secret, refreshToken, jwt.Expected{Subject: currentUserID})
if err != nil { /* send 401 */ }

tokenPair := generateTokenPair()
// ^ send this to the client

Create a handler on /refresh and send the result of that token pair.

Your client can fire 'silent' calls to the /refresh to renew its access token automatically.

kataras commented 4 years ago

@daheige If you still need a native net/http example, just comment below and i will prepare you an http.Server, http.Client and a javascript client examples :) Keep note that the refresh strategy depends on your application requirements and it's better if you just google and get ideas from there instead, so you have the complete picture in your mind before decide what is better for you.

daheige commented 4 years ago

Thank you very much. After reading what you said, there are indeed different refresh strategies. This depends on the business scenario. I will try these strategies you mentioned, and if there are other questions, I will consult you again.