3

I implement autentication mechanism in web application with Angular 2.

I going to use JSON Web Token. Two types of token, Access token (short-lived) and Refresh token (long-lived) which are described here: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

I want to obtain result which is common when session/cookies are used. After a period time of user inactivity, the user is logged out. Which basiclly means that the browser displays the login page and in case of using JWT, the tokens are removed from browser localStorage or storage cookies.

I do not see the way how to do this, relaing only on Access and Refresh tokens.

When Access token is expired (eg. each 10 minutes), the new one is requested using Refresh token (which expires each 8 hours). But what when the user is inactive for eg. 1 hour? Refresh token is still valid so next user interaction will cause obtain new Access token and the user sill can use th app.

Maybe there are some Angular2 or JavaScript mechanisms which in case of user inactivity, perform some action or redirect to login page?

LancerX
  • 1,211
  • 7
  • 23
  • 40

4 Answers4

1

Just cache timestamp of last user activity (for users you want to run periodic check) and revoke refresh token when it cross your threshold + remove user from that cache. If you really really need that behaviour. If you accept server side solution.

If you mean Angular client side solution, just forget the token pair after given inactivity period.

Robert Simon
  • 406
  • 3
  • 8
0

If you want to use token as flag to terminate session just don't refresh it, just set a short time of life and when server replies with 401 sign out the user. For this approach you have to generate a new token after each user interaction.

Jenkins
  • 11
  • 2
0

Access Token expiry to be checked only when a resource request is made. If access token expired, then prompt client to make a refresh token request. In the refresh token request, if the posted refresh token is valid and not expired, send to client as response newly created access token and refresh token. Client to then silently repost the resource request.

If the posted refresh token is invalid or expired, prompt client to log out. Logging out for idle session is implemented this way.

If the posted refresh token is invalid, it is important to blacklist/revoke all previously issued refresh tokens and the current one.

Ammamon
  • 467
  • 1
  • 10
  • 18
-1

You Can Implement some client side rule i.e Whenever access token going to expire redirect them to login page or you can lock user's screen to provide enter credential again.Please look features of angular2 JWT

Torreto
  • 61
  • 1
  • 9
  • If your solution (the simplest solution as can imagine), could be acceptable.... how do you think... would I write about two types of token? I have written about Access and Refresh token, but you wrote 'made a user to log every 10 minutes'. And what's the most important... how your answer is connected to an inactivity of the user, which I asked about? To make some metaphor... I'm asking about the technique of drifting, but you tell me about that red means stop, green means drive. – LancerX Mar 29 '17 at 21:07
  • 1
    My apologies to not understand your question clearly. A feature like your question we are missing in JWT.One way to respond idle user by using a module like NG IDLE. – Torreto Mar 30 '17 at 07:03