I'm here because I wasn't satisfied with what I found on google.
I am generally building SPA's, so for me the process was simple: At succesful login generate a jwt and use it for every request I make from the client.
Someone told me that I should refresh that token and send back a new one for every request I make. Does this make sense for me to do? I mean, if someone is trying to hack me, sniffing the requests will give the hacker the same tokens I receive, so what's the catch?
I mean, what if I launch a request before another one is finished? Teoretically I would send the same token twice and one of the requests will be rejected.
How is this correctly handled? I'm sure there is more to this than what I could think myself.
The most secure option is for the authorization server to issue a new refresh token each time one is used. This is the recommendation in the latest Security Best Current Practice which enables authorization servers to detect if a refresh token is stolen.
Yes, you need a separate service that issues and refreshes token. It won't update the expiration of the existing JWT Token.
The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.
It is a compromise between security and convenience.
No, you don't need to refresh the token on each request. But you definitely want your JWTs to expire at some point. This is to protect you from JWT theft where malicious user could use stolen access token to gain access to target resource indefinitely.
Here is what you can do to handle token expiration:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With