4

Im playing around and creating a custom access token system using JWT. I have already created a system for signing and validating JWT access tokens.

However, I find it hard to obtain information about what claims a refresh token should consist of.

Should i create refresh tokens identical to the access token - with a longer expiratiom time so that the same function that validates access tokens can be used to validate the refresh token?

89282820
  • 43
  • 5
  • 1
    The use of JWT as refresh token is a really bad idea. You will face security issues, especially because this token type cannot be revoked (if you do implement a revocation system, you don't need JWT at all). Regqrding the content of the token, it is usually at least equivalent to the issued access tokens. – Spomky-Labs Jul 19 '21 at 23:28

1 Answers1

0

A refresh token is typically an opaque value that is only used by clients to refresh access tokens. The flow works like this:

  • Web or mobile client implements OpenID Connect to authenticate users and get tokens - prompting the user to consent in some cases

  • An Authorization Server (AS) issues the tokens and stores details of this 'delegation' in a database - tokens are a pointer to this state

  • Client sends access tokens to APIs until a 401 expired response is received

  • Client then tries to refresh the access token by sending the refresh token to the Authorixation Server, which then looks up claim details from the stored state

I would make sure you get these responsibilities right - in particular avoid building your own AS and use a free one provided by experts, such as Curity Community Edition. Many security solutions will then be easier to develop.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24