1

Overview

Based on the concept found on Settings section of Long Running Refresh Token.

It means that you need to refresh [access token] every 5 mins and you need to replace your refresh token in 7 days after it has been issued.

This will enable user to maintain refresh token session as long as we can refresh it within 7 days (e.g. 'JWT_REFRESH_EXPIRATION_DELTA': timedelta(days=7)).

Note that you can't call refreshToken(refreshToken: $refreshToken) with an expired refresh token as this may result in "message": "Refresh token is expired".

Problem

Now the struggle here is how do we know that the refresh token will expire in 7 days? So we can create a logic to check if it has 1 day left for the session then trigger a refreshToken() mutation?

Conclusion

Without knowing the expiration date of a refresh token developers will have to integrate in storing the date after the refresh token has been issued in the client side to determine how old the refresh token is.

Well if I am missing something maybe there is already a simple approach how to handle the checking of refresh token expiration date?

Shift 'n Tab
  • 8,808
  • 12
  • 73
  • 117

1 Answers1

1

A JWT token is actually a Base64 encoded string that stores a lot of its own properties, including the one you're looking for. The beauty of a JWT token is that is also includes a hash, which is based on the useful parts of the token. This means that if someone changes a JWT token by changing the expiration/issue date, the username, or a custom value, the hash will no longer be valid and the token will be rejected.

In your case this means that you can accept a token, decode the string into a JSON object, check its value, and base your response on its contents. Hope this helps!

Ruben Helsloot
  • 12,582
  • 6
  • 26
  • 49
  • thanks for the detailed answer and I'm well aware of the JWT token that can always be decoded to see the payload details. There we can see also the `orig_iat` and the `exp` of the token etc. Refreshing _access token_ is quite straightforward however the problem here is that _refresh token_ aren't JWT but a sort of UID which we cannot extract any information how long it will expire. Hope this clarify the question and hope you could help. – Shift 'n Tab Jul 27 '19 at 17:15
  • 1
    According to https://medium.com/monstar-lab-bangladesh-engineering/jwt-auth-in-go-part-2-refresh-tokens-d334777ca8a0, the refresh token should also be decodable and should consist of three parts as well - including an expiration date – Ruben Helsloot Jul 27 '19 at 20:31
  • We also expect this one. Its odd why they use UID for refresh token instead of just using JWT also. Seems like there is no choice but to store the date in the client side after requesting refresh token. – Shift 'n Tab Jul 29 '19 at 13:49