search

thelovemsg / chatting_app

0 stars 0 forks source link

Make refresh functionality for JWT! #13

Closed thelovemsg closed 1 year ago

thelovemsg commented 1 year ago

objective

Make refresh functionality for JWT!

detailed work content

  • I came to realize something is missing for my JwtProvider. And It was refresh thing for access token.
  • When access token is expired, I need to reissue access token with user's refresh token.
  • I'm quite curious what I should do if refresh token is also expired?
  • What should I do to reissue access token? I think I've missed many business logic for this.

note

In a typical JWT-based authentication flow, the following steps occur:

  1. The user provides their credentials (e.g., username and password) to the client application.
  2. The client application sends a request to the authentication server with the user's credentials.
  3. If the credentials are valid, the authentication server issues an access token and a refresh token. The access token is used to access protected resources, while the refresh token is used to obtain new access tokens when the current one expires.
  4. The client application stores both the access token and refresh token, typically in memory or a secure storage location. 5.When the access token expires, the client application uses the refresh token to request a new access token from the authentication server.
  5. The authentication server validates the refresh token and, if valid, issues a new access token (and optionally, a new refresh token).
  6. The client application updates its stored access token and uses it to access protected resources.
thelovemsg commented 1 year ago

when user request new access token, should we return refresh token together?

I asked that question to chatGPT and the next is the answer.

When a user requests a new access token using their refresh token, you do not need to return a new refresh token with every new access token. The purpose of the refresh token is to allow the user to request new access tokens without having to re-authenticate. Typically, refresh tokens have a much longer lifespan than access tokens, which means the user can use the same refresh token multiple times to get new access tokens.

However, there are some cases where you may want to issue a new refresh token:

  1. Security reasons If you want to limit the potential damage in case a refresh token is compromised, you can issue a new refresh token with each access token request. This way, if an attacker gets hold of a refresh token, they can only use it once before it becomes invalid. This is sometimes called "refresh token rotation."

  2. Token renewal If your refresh tokens have a fixed expiration time and you want to allow users to renew their refresh tokens without requiring them to log in again, you can issue a new refresh token along with the new access token. In this case, you can update the expiration time for the new refresh token, effectively extending the user's session.

I hope this would help for you!

thelovemsg commented 1 year ago

Good Job! really nice. Fantastic baby.