Menu
In my application, I return an access token and a refresh token when a user logs in successfully. The expiration times for access and refresh token have been set to 10 and 40 minutes respectively. (I should do some more research on those values. This is just for testing)
I used the implementation described in following article
http://www.svlada.com/jwt-token-authentication-with-spring-boot/
Let's say I invoke a request to the server after 10 minutes of the login in. Since the access token is expired, I am getting 401 error response.
However, as a beginner, I find it difficult to understand whether I need to send the refresh token explicitly in order to obtain a new access token. If I should do so, how to do that? I should send the refresh token as what? a header?
Or else, when my request is rejected by the server since the access token is expired, should the refresh token itself send a request automatically to the server in order to obtain a new access token?
I found it hard to understand the nature of the behavior of refresh token from the resources I found on the net. Kindly clarify me on these questions.
584
Once they expire, client applications can use a refresh token to "refresh" the access token. That is, a refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again.
The JWT is used for accessing secure routes on the API and the refresh token is used for generating new JWT access tokens when (or just before) they expire.
Yes, you need a separate service that issues and refreshes token. It won't update the expiration of the existing JWT Token.
Refresh Token are typically longer lived than Access Tokens and used to request a new Access Token without forcing user authentication. Unlike Access Tokens, Refresh Tokens are only used with the Authorization Server and are never sent to a web service.
Yes, the refresh token is used to obtain a new access token.
When you request the access token for the first time, you usually start by sending a token request to the token endpoint, in case of the so called Resource Owner Password Credentials Grant with user credentials in the request header, e.g.
grant_type=password&username=user1&passowrd=very_secret
when the access token is expired, you have to request a new access token. This time, with a refresh token which is still valid, you don't need the user credentials again but send
grant_type=refresh_token&refresh_token=<your refresh token>
instead. This way you don't need to store the user credential on client side and don't need to bother the user again with a login procedure. As you know the expiry time, you can also implement a mechanism to refresh your token before the access_token is expired.
Additionally you can read this for further information about the topic: https://auth0.com/learn/refresh-tokens/
In the following tutorial is also a screenshot of how to use refresh token in postman: http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ (scroll down to step 6) Generally I can recommend reading Taiseer Joudeh's tutorial, esp. for C#, ASP.NET uand Angular programmers.
125
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
