Why JWT Token
-
JWT Token?
JWT token is assigned to a user when user Authenticates and then token is used as Bearer token in every request to access the REST endpoint.
Issue with 1 Token System(ie only JWT Token)?
-
JWT Token is often associated with Password, ie whenever user entered
correct password a new JWT token is provided to the user.
Long JWT Token expiry(3 months):
if JWT token expiry is kept for longer period and token is compromised. Malicious user can attack system for longer duration of time.
Short JWT Token expiry(24 hours):
if JWT token expiry is smaller (ie 1 day), then after every 1 day user has to enter his password again.
Solution: Maintain 2 JWT tokens.
Short lived(24 hours): access token
Long lived(90 days): Refresh token
Refresh Token
-
What? refresh Token is not a JWT Token, its a unique
string(uuid)
Advantages?
1. It prevents long lived token from floating around on internet
2. Only short lived token(15 min or 1 hour life) token floats on wire, it they are compromised then even, attack duration is reduced.
3. User need not to enter password again and again in case JWT token has expired and needs renewal. 4. Long lived JWT tokens are hard to revoke and permanent key to system for entire duration(eg: 90 days)
Flow
-
Now Server returns 2 tokens on login to frontend.
1. access_token: short‑lived JWT (for example, 15–60 minutes).
2. refresh_token: long‑lived random string stored server‑side (e.g., 7–90 days)
CLIENT/FRONTEND SERVER/BACKEND
------------------ login (user,pass) -------------->
Correct user,pass
Generate JWT, refresh token
---------- refresh_token -----> DB
Store in DB
<------ access_token(JWT) + refresh_token(string) --
Access REST endpoint
-------- GET USERS (Bearer: <access_token>) ------>/users
Validate JWT
<--------------- 401 Unauthorized -------- Token expired
Call Refresh endpoint
-------- GET token (Refresh: "refresh_token") -----> /auth/refresh
validate refresh_token from DB
Issue new (access, refresh) token