Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it viable to refresh Auth Token on every request?

Does it make sense in a general case for a web API service to send a newly generated token on each request user makes so that client app must use for the next request?

I am thinking of the way to make tokens expiring, but if client app is consuming the data from the API, not require it to sign in again.

I think it's quite easy to implement but not sure if there could be UX or logic/security issues with it.

like image 426
Sergei Basharov Avatar asked Aug 12 '16 14:08

Sergei Basharov


People also ask

Can I use refresh token multiple times?

A refresh token doesn't expire until the new access token obtained from it was executed in an API call. When the new access token has been used, the refresh token that was used to obtain it automatically expires.

When should Auth token be refreshed?

When to use Refresh Tokens? The main purpose of using a refresh token is to considerably shorten the life of an access token. The refresh token can then later be used to authenticate the user as and when required by the application without running into problems such as cookies being blocked, etc.

How often should you refresh token?

The most secure option is for the authorization server to issue a new refresh token each time one is used. This is the recommendation in the latest Security Best Current Practice which enables authorization servers to detect if a refresh token is stolen.

Is refresh token more secure than access token?

Refresh tokens provide a way to bypass the temporary nature of access tokens. Normally, a user with an access token can only access protected resources or perform specific actions for a set period of time, which reduces the risk of the token being compromised.


1 Answers

This is an existing technique and uses the concept of sliding sessions explained by auth0 here: Refresh Tokens: When to Use Them and How They Interact with JWTs

Sliding-sessions are sessions that expire after a period of inactivity. When a user performs an action, a new access token is issued. If the user uses an expired access token, the session is considered inactive and a new access token is required. This new token can be obtained with a refresh token or requiring credentials

like image 56
pedrofb Avatar answered Sep 26 '22 23:09

pedrofb