Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Log out user after inactivity with JWT Access and Refresh tokens

Tags:

authentication

web-applications

angular

jwt

json-web-token

I implement autentication mechanism in web application with Angular 2.

I going to use JSON Web Token. Two types of token, Access token (short-lived) and Refresh token (long-lived) which are described here: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

I want to obtain result which is common when session/cookies are used. After a period time of user inactivity, the user is logged out. Which basiclly means that the browser displays the login page and in case of using JWT, the tokens are removed from browser localStorage or storage cookies.

I do not see the way how to do this, relaing only on Access and Refresh tokens.

When Access token is expired (eg. each 10 minutes), the new one is requested using Refresh token (which expires each 8 hours). But what when the user is inactive for eg. 1 hour? Refresh token is still valid so next user interaction will cause obtain new Access token and the user sill can use th app.

Maybe there are some Angular2 or JavaScript mechanisms which in case of user inactivity, perform some action or redirect to login page?

like image 600
LancerX Avatar asked Oct 24 '25 03:10

LancerX

2 Answers

Just cache timestamp of last user activity (for users you want to run periodic check) and revoke refresh token when it cross your threshold + remove user from that cache. If you really really need that behaviour. If you accept server side solution.

If you mean Angular client side solution, just forget the token pair after given inactivity period.

like image 195
Robert Simon Avatar answered Oct 26 '25 16:10

Robert Simon

Access Token expiry to be checked only when a resource request is made. If access token expired, then prompt client to make a refresh token request. In the refresh token request, if the posted refresh token is valid and not expired, send to client as response newly created access token and refresh token. Client to then silently repost the resource request.

If the posted refresh token is invalid or expired, prompt client to log out. Logging out for idle session is implemented this way.

If the posted refresh token is invalid, it is important to blacklist/revoke all previously issued refresh tokens and the current one.

like image 29
Ammamon Avatar answered Oct 26 '25 16:10

Ammamon

Sign in to Comment

Related questions

Angular: Setting an emptied string to a default value does not update the bound text field properly if the field previously had the default value
Link to another component without outlet
How to implement angular server side rendering in laravel?
Angular directive for detect screen size
Template parse errors: Can't bind to 'ngbTypeahead' since it isn't a known property of 'input

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!