JWT refresh token flow

I'm building a mobile app and am using JWT for authentication.

It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want.

  • What does a refresh token look like? Is it a random string? Is that string encrypted? Is it another JWT?
  • The refresh token would be stored in the database on the user model for access, correct? It seems like it should be encrypted in this case
  • Would I sent the refresh token back after a user login, and then have the client access a separate route to retrieve an access-token?

  • Assuming that this is about OAuth 2.0 since it is about JWTs and refresh tokens...:

  • just like an access token, in principle a refresh token can be anything including all of the options you describe; a JWT could be used when the Authorization Server wants to be stateless or wants to enforce some sort of "proof-of-possession" semantics on to the client presenting it; note that a refresh token differs from an access token in that it is not presented to a Resource Server but only to the Authorization Server that issued it in the first place, so the self-contained validation optimization for JWTs-as-access-tokens does not hold for refresh tokens

  • that depends on the security/access of the database; if the database can be accessed by other parties/servers/applications/users, then yes (but your mileage may vary with where and how you store the encryption key...)

  • an Authorization Server may issue both access tokens and refresh tokens at the same time, depending on the grant that is used by the client to obtain them; the spec contains the details and options on each of the standardized grants


  • Based in this implementation with Node.js of JWT with refresh token:

    1) In this case they use a uid and it's not a JWT. When they refresh the token they send the refresh token and the user. If you implement it as a JWT, you don't need to send the user, because it would inside the JWT.

    2) They implement this in a separated document (table). It has sense to me because a user can be logged in in different client applications and it could have a refresh token by app. If the user lose a device with one app installed, the refresh token of that device could be invalidated without affecting the other logged in devices.

    3) In this implementation it response to the log in method with both, access token and refresh token. It seams correct to me.

    链接地址: http://www.djcxy.com/p/22020.html

    上一篇: 处理JWT令牌

    下一篇: JWT刷新令牌流