Menu
I'm developing an Android app and I'm a little confused regarding token and refresh token. Basically now, after user login with mobile number and a code sent by SMS, the authentication server returns an access token that will be used for accessing to all apis. For the authentication server, I've used Laravel with jwt-auth library. When the access token will expired I will ask a new one using the credential of user stored in the AccountManager. Is it the correct way to implement this authentication?
Or I'm missing the refresh token, which I ask a new access token when this expired?
Thanks in advance, Daniele
607
Refresh token can get you a new access token, without prompting the user to login again. In this post we will learn how you can use Retrofit Authenticator to Refresh Token. And refreshing token means getting a new access token with the help of refresh token. 1 Building Backend API.
A refresh token is a special token that is used to obtain additional access tokens. This allows you to have short-lived access tokens without having to collect credentials every time one expires.
The authorization server can contain this risk by detecting refresh token reuse using refresh token rotation. If your application uses refresh token rotation, it can now store it in local storage or browser memory.
To get a refresh token, you must include the offline_access scope when you initiate an authentication request through the /authorize endpoint. Be sure to initiate Offline Access in your API. For more information, read API Settings.
I think it's better to use both token and refresh token, so you don't always have to send your credentials when your access token is expired. Moreover it's not safe to store users credentials on a client device, you should store this informations on your server and ask the user to type it when needed.
Here how I implement the token/refresh token process :
1 : You send your credentials to your authentification server ( it will send you back an access token (I use the JSON web token type wich is not stored in database) and a refresh token ( that is stored in the database).
2 : When you make a request to your server you check if the access token is expired, if it is so, you make a request to your authentification server with the refresh token in paramter in order to have a new access token ( depending on the configuration of your server it could give you back whether a new access token , or a new pair of access token and refresh token which I prefer ).
3: If the refresh token is expired you make a request with your credentials to have a new pair of tokens.
72
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
