AngularJS token authentication with sliding expiration in state transitions with ui-router version 1.x

Question

In our application we have a requirement that user should be logged in for a certain amount of time which is configurable by system admin, say 10 minutes. We have another requirement that the when user navigates to different parts of the app, this time should be refreshed and set back to that configured amount.

Our application is written in AngularJS and we use ui-router for routing, So when user navigates between different states, time to be logged out gets updated.

The back-end is written with .NET and we use jwt tokens for authentication, Token has a field named expiration. In the beginning of each request we check if the token is not expired.

I have a problem that I don't know how to tell the server that it should update the token expiration time, I am using ui-router version 1 and it has some hooks for doing server side things before state transitions, I ended up with something like this:

  $transitions.onBefore({
      to: "*"
  }, function(trans) {      
     // update the client ui, and also tell the server to update
     // the timeout in the serverside and database

     return authService.refreshToken();
  });

But I am uncertain about this approach being correct, I couldn't find a good solutions for such problem in a REST architecture, I would be very grateful if you could tell me the pros and cons of this method or point me to the right implmentation

Answer 1

THEORY

As far as I can see, JWT standards doesn't really tell about refresh. (https://tools.ietf.org/rfc/rfc7519.txt)

If I well understand your problem, you want somebody's token to be renewed automatically after X minutes of inactivity. I guess this approach you want is a sliding sessions.

You can see a good article about it there: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

The best practice in such case is not to extend the life of the token but to request a new one. You will find many articles and conventions talking about it. For security reasons, the shorter it is, the most secure it is.

Even if it is written for oauth, Here is a really good article listing different ways of token management : https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/

---

USE CASE

In your API, i would provide a refreshToken that permit to renew the token trough an HTTP request.

In you Front, I would make a service that store the last transition date, let say lastTransitionDate = new DateTime(). It will also store, the token, the refreshToken and the expiration date of the token.

Now When you have a transition,

1. You check if the token is still valid (by sending a checkToken request for example)
2. If the token is no more valid and if the lastTransitionDate is more than X minutes ago, you force the logout.
3. If the token is no more valid but the lastTransitionDate is less than X minutes, then you ask for a new token by sending the refreshToken.
4. After all checks you reset lastTransitionDate.

The only things you need to be sure of is that, X is enough to make sure that a user won't be disconnected if he just passed some time reading some stuff on a page without triggering a transition.