Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Pass jwt refresh token on header or body

Tags:

access-token

jwt

When access token is expired, it should re-issued refresh token.
At this point, I'm little hesitate which method is better.
For access token, it passed HTTP header per every request.

  1. pass refresh token on HTTP header.
  2. pass refresh token on HTTP POST body(payload).

Which one is recommended?

like image 588
sungyong Avatar asked Dec 08 '17 07:12

sungyong

People also ask

Should I send JWT token in header or body?

When making requests that needs authorization or when accessing a part in your API that needs authentication, you need to send the jwt to the server for authentication. The common and best practice is too add it to the request header as authorization header.

Is JWT passed in header?

Header. The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA. Then, this JSON is Base64Url encoded to form the first part of the JWT.

Where should I store my refresh token?

The authorization server can contain this risk by detecting refresh token reuse using refresh token rotation. If your application uses refresh token rotation, it can now store it in local storage or browser memory.

How do I refresh JWT tokens?

For the refresh token, we will simply generate a UID and store it in an object in memory along with the associated user username. It would be normal to save it in a database with the user's information and the creation and expiration date (if we want it to be valid for a limited period of time).

1 Answers

The jwt specification recommends (but does not require) sending the access tokens in an authorization header of type Bearer. But there is no mention of the refresh tokens.

Refresh tokens are an Oauth2 concept. If you read the Rfc6749 specification, to refresh an access token, the refresh token is sent using a form parameter in a POST request

6. Refreshing an Access Token ...

 POST /token HTTP/1.1
 Host: server.example.com
 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
 Content-Type: application/x-www-form-urlencoded

 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA

You can use the example of oauth2 as reference (pass it in the body), although if you do not use oauth2, you have no obligation, so use the method to send that best suits your project.

like image 63
pedrofb Avatar answered Sep 20 '22 14:09

pedrofb
Sign in to Comment

Related questions

Verifying firebase custom token to get token ID fails when using jsonwebtoken
ASP .NET Core Identity default authentication vs JWT authentication
jwt_auth_no_auth_header error on validating WordPress REST API JWT token
what should be the key length in signingCredentials jwt asp.net core
Can't get claims from JWT token with ASP.NET Core
How to configure Microsoft JWT with symmetric key?
Parsing JWT to get claims in C#
Web api core returns 404 when adding Authorize attribute
JWT authentication in SignalR (.NET Core) without passing token in Query String
Why doesn't Amazon Cognito return an audience field in its access tokens?
Are sessions needed for python-social-auth
Verifying JWT Signature using public key endpoint
Sign in with Apple (iOS App + Backend verification) API returns error "invalid_client"
Skip JWT Auth during Tests ASP.Net Core 3.1 Web Api
JWT and Web API (JwtAuthForWebAPI?) - Looking For An Example
Using JWT - is it fine to authenticate user with the subject being their email?
Could we destroy/invalidate JWT token in Asp.NET Core?
Is it necessary to refresh tokens every request?
How does JWT.io already know my public key?
ASP.Net Core - no redirect on API auth error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!