Is there a refresh token concept for public purpose

paragonie / paseto

Platform-Agnostic Security Tokens

https://paseto.io

Other

3.23k stars 108 forks source link

Is there a refresh token concept for public purpose #104

Closed kounelios13 closed 2 years ago

kounelios13 commented 4 years ago

Hello.I have recently started studying Paseto.As a person coming from a JWT background I am used to the refresh token idea(when my JWT expires I get a new one by providing a special key)

Now as an alternative for JWT authentication paseto provides the public purpose tokens.Now my question is this. When a token expires what should I do ? Is there any way to refresh that token or do I need to prompt the user to enter their login credentials so I can sign a new token?

paragonie-scott commented 4 years ago

Your question is from an OAuth2 background, not a JWT background.

JWT doesn't have a concept of request/access tokens. Other standards do. Those standards just so happen to use JWT as a means of encoding these tokens.

You can use a PASETO for the same purpose, yes.

The plan is, after the XChaCha20 RFC passes, to focus on formalizing PASETO as an IETF RFC and then get it into OpenID Connect as a JWT alternative.

paragonie-security commented 2 years ago

Should this question live here (the PHP repository), or should we move it to the specification repository?

kounelios13 commented 2 years ago

I believe it should be moved in the specification repository

paragonie-security commented 2 years ago

https://github.com/paseto-standard/paseto-spec/issues/2 :)