Android refresh token

I'm developing an Android app and I'm a little confused regarding token and refresh token. Basically now, after user login with mobile number and a code sent by SMS, the authentication server returns an access token that will be used for accessing to all apis. For the authentication server, I've used Laravel with jwt-auth library. When the access token will expired I will ask a new one using the credential of user stored in the AccountManager. Is it the correct way to implement this authentication?

Or I'm missing the refresh token, which I ask a new access token when this expired?

Thanks in advance, Daniele


I think it's better to use both token and refresh token , so you don't always have to send your credentials when your access token is expired. Moreover it's not safe to store users credentials on a client device, you should store this informations on your server and ask the user to type it when needed.

Here how I implement the token/refresh token process :

1 : You send your credentials to your authentification server ( it will send you back an access token (I use the JSON web token type wich is not stored in database) and a refresh token ( that is stored in the database).

2 : When you make a request to your server you check if the access token is expired, if it is so, you make a request to your authentification server with the refresh token in paramter in order to have a new access token ( depending on the configuration of your server it could give you back whether a new access token , or a new pair of access token and refresh token which I prefer ).

3: If the refresh token is expired you make a request with your credentials to have a new pair of tokens.

链接地址: http://www.djcxy.com/p/47952.html

上一篇: 几分钟后Web api持票人令牌超时

下一篇: Android刷新令牌