5

I have followed this guide https://auth0.com/blog/implementing-jwt-authentication-on-spring-boot/ to implement access tokens in my web application and it is working fine. However, this guide does not mention anything about refresh token.

Can anyone help me out on how to implement this in Java Spring Boot? Or is there any other way to keep a user logged in?

odke
  • 59
  • 1
  • 1
  • 3
  • By design, your user is not 'logged in' since JWT is stateless. I recommend a full understanding of JWT mechanisms and purpose before trying to implement it using java, spring, nodejs or whatever – Akli REGUIG Apr 17 '18 at 12:08

2 Answers2

6

Spring provides the functionality for getting a new access token if you configured it correctly, i.e if authorizedGrantTypes contains "refresh_code".

You should use the refresh token to get a new access token by using the token endpoint like this: 

curl -H "Authorization: Bearer [base64encode(clientId:clientSecret)]" "https://yourdomain.com/oauth/token?grant_type=refresh_token&refresh_token=[yourRefreshToken]"

example:

curl -X POST -H 'Authorization: Basic dGVzdGNsaWVudDpzZWNyZXQ=' -d 'refresh_token=fdb8fdbecf1d03ce5e6125c067733c0d51de209c&grant_type=refresh_token' localhost:3000/oauth/token

{
    "token_type":"bearer",
"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiVlx1MDAxNcKbwoNUwoonbFPCu8KhwrYiLCJpYXQiOjE0NDQyNjI4NjYsImV4cCI6MTQ0NDI2Mjg4Nn0.Dww7TC-d0teDAgsmKHw7bhF2THNichsE6rVJq9xu_2s",
"expires_in":20,
"refresh_token":"7fd15938c823cf58e78019bea2af142f9449696a"
}

as described here: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

humbaba
  • 318
  • 2
  • 10
1

Ref - Spring Boot + Refresh Expired JWT Implementation

Once the JWT has expired, the user/system will make a call to another url suppose /refreshtoken. Also along with this request the expired JWT should be passed. The Server will then return a new JWT which can be used by the user/system.

enter image description here

Batman Rises
  • 597
  • 6
  • 9