5

I'm trying to get my head around refresh tokens and how they work with JWT, so I can use it without auth0 API service.

  • Why refresh token format is different from JWT?
  • refresh tokens are just simple tokens store in the db?
  • How is the flow to use a refresh token to get a JWT token?

Thanks!

UPDATE

As @Florent Morselli suggested. The fundamental question of this post is wrong and confusing. Since JWT and refresh tokens are not really concepts that can be related. A better question can be:

  • What is the difference between a JWT Token and an opaque token?
  • What is the difference between a Access Token and a Refresh Token?

I'm not changing the question in the title, since somebody might be looking wrongly for the same thing and it will lead them to this post.

Federico
  • 5,438
  • 5
  • 39
  • 47
  • Are you using code flow? – Omer Malik Oct 21 '18 at 10:35
  • 1
    Your question is not really clear as it mixes several concepts. JWT is just a standard format for digitaly signed and/or encrypted tokens. Refresh tokens can be random strings as well as JWT. Your question could be "What is the difference between a JWT Token and an opaque token" or "What is the difference between a Access Token and a Refresh Token" – Spomky-Labs Oct 22 '18 at 07:45
  • @FlorentMorselli I see that know. I was pretty confused at the beginning now I see the difference. However, I'm not sure I want to change the title, since somebody else might have the same "wrong" question and it could lead them to this entry. I will update the description with your comments. – Federico Oct 23 '18 at 15:06
  • OK understood. I wrote a possible answer for your questions. Hoping it is clear enough. – Spomky-Labs Oct 25 '18 at 09:14

2 Answers2

6

Token can be of two types:

  • Tokens by Reference
  • Tokens by Value

With the first type, the tokens are opaque strings (often random strings) that refer to a database index where the values associated to the tokens are stored.

With the second type, the tokens contain the values. To avoid alteration they are digitally signed or hashed. As they also may contain sensitive data, they can be encrypted.

JSON Web Token is a suite of specifications (mainly RFC7515 to RFC7520) that introduces a new format for the second type.

Why Refresh tokens issued by oauth0 are of the first type and not JWT (second type)?

The main benefit of the tokens by value is that they can be stateless i.e. you don't need any kind of database. This is really helpful when tokens are sent several times to a server as they drastically reduce database calls and thus reduce the response time.

The drawback is that you cannot revoke them. Or if you add a revocation system, then you have to manage and call a database. Therefore , tokens by value should have a very limited lifetime which is not compatible with refresh tokens.

Community
  • 1
  • 1
Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
  • In the first line when you put `With the first type, the tokens are opaque strings` you are talking about `Tokens by Reference`, which it does not seem to match with `The main benefit of the tokens by reference is that they can be stateless`.. is that possible? – Federico Oct 26 '18 at 13:17
0

Refresh token are used in Code flow or Hybrid flow as per OpenID Spec See Image below

enter image description here Reference: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps

Why refresh token format is different from JWT?

The format of Refresh token is also as per spec from OpenID enter image description here

Reference: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps

refresh tokens are just simple tokens store in the db?

Refresh tokens would be generated from your IDP(Identity Provider dynamically).

How is the flow to use a refresh token to get a JWT token?

Once you have the refresh token as shown in previous step, you can make a request to Token Endpoint with Refresh token to get Access Token

Access token

enter image description here

Omer Malik
  • 409
  • 7
  • 15