JSON Web Token Implementation: access and refresh token

I am about to implement an authentication system that uses the JSON Web Token(JWT) approach. I read online multiple approaches taken but they seem to always be slightly different than the on I'm thinking on using.

The approach I am thinking of is:

  • A user logs in causing the server to create a refresh token and an access token. (The Refresh token consists of an id and an expiry date, and the access token is a JWT valid for 15 minutes that contains the refresh token id)

  • The user can make several successful requests using the access token until it expires

  • Once the user does a request with an expired token, the server checks if the refresh token id contained within the expired access token matches the current refresh token

  • If it matches, change the refresh token id and create a new access token containing the new refresh token id

  • If it doesn't match, ask for authentication

  • I believe that this approach has the following advantages:

  • it doesn't require the client to deal with the refresh token directly

  • a DB or cache request has to be done only once every 15 minutes to check on the refresh token

  • it allows the application to terminate a session by removing the refresh token from the DB or cache.

  • the server will create only one access token that matches a refresh token. Once the access token is renewed, using it again will not cause another refresh action

  • Could anyone comment on this? Is this a good approach?


    The objective of refresh tokens is allow applications to obtain a new access token without re-authenticate minimizing the effect of a stolen token. If you allow to renew automatically including a refresh ID in the token itself, you are in fact extending the lifetime of the token without deliberately requiring the refresh token

    An attacker who stoles a JWT could indefinitely impersonate user until the user performs a new access and ID does not match.

    I think it is more secure to obtain a new access token before it expire using specifically the refresh token

    链接地址: http://www.djcxy.com/p/22026.html

    上一篇: 处理JWT到期和JWT有效负载更新

    下一篇: JSON Web令牌实现:访问和刷新令牌