5

I am using jjwt to create token using the documentation on github https://github.com/jwtk/jjwt#specification-compliant

I understood that I have to create a refresh token store it on my database and use it to create an access token for the user. But I don't find a simple example to help me to understand how to code it. I am able to create a token following the github documentation but i don"t know how to create a refresh token and then an access token using my refresh one.

I am using java on android studio and as back up api using App Engine Java servlet module

Improve this question

3 Answers 3

Reset to default
3

Well, it has been a long time, but I think neither of already posted answers actually addresses the original question. Let me handle it:

You should understand, that, technically speaking, your Refresh Token could be anything. Let me explain: you need Refresh Token just to later on reissue an Access and Refresh tokens pair. In most cases, you should store your Refresh Token in database (or in-memory Cache, like Redis). Technically you do not obligated to sign a Refresh Token, or encrypt it. Do the following:

  1. Generate Access Token (and of course, it must be signed)

  2. Generate Refresh Token the way you want. It can be almost the same JWT, but with far more extended TTL (Time to live). Store it in some data storage, again depends on your requirements

  3. Once the Access Token get expired, the Client, to which you have issued tokens, come to you with the Refresh Token you have generated on the step 2. You will pull Refresh Token you have saved on the previous step, check for their equality. If everything is alright (Refresh Tokens matches) - repeat procedure from the first step. That is it.

Hope it helped

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

+, You also have to invalidate refresh token once it is used in step 3
2

even that it has been a long time since then:

You have 2 tokens: one that expires fast (token) and one that expires after a very LONG TIME (refresh token).

The reason for this is because refresh token is actually used very rarely and you don't send it over the network so often. if you send a token very often over the network you have to make it expire fast (it's up to you to decide how long a token lives 30 mins/1 hour/2 days).

When the JWT token where you store the data has expired you use the refresh token (from client side which should be stored securely) and get another token that you send very often over the network.

The flow should be like this:

  1. login with credentials => get token (2hours expiry) and refresh token(30 years expiry);
  2. client stores both tokens securely
  3. token expired
  4. using refresh token make a request and get another token that expires in 2 hours
  5. refresh token expires after 30 years - logout the user

The refresh token is just used to not put the user insert credentials again

Improve this answer

Comments

0

Creating a refresh token is just creating a "normal" token with new (refreshed) data (claims) in it.

It only makes sense if your claims that the server issues change over the time like e.g. the expiration time. Obviously only the token issuer (I assume the server in your case) can refresh the tokens and client needs to poll for them or the server needs to notify the client.

On the server just create the new token with a future expiry time filled in:

Calendar cal = Calendar.getInstance(); // creates calendar
cal.setTime(new Date());
cal.add(Calendar.HOUR_OF_DAY, 1);
cal.getTime();

String compactJws = Jwts.builder()
  .setSubject("Joe")
  .setExpiration(cal.getTime();) // set expiration to e.g. one hour in the future
  .signWith(SignatureAlgorithm.HS512, key)
  .compact();

Hint: you cannot invalidate JWT tokens apart from putting them on a central blacklist what kind of cannibalizes the concept of JWT.

Improve this answer

8 Comments

Am I not supposed to have a refresh token with an expiration 60 days( for example), store on a database and access token store on mobile device only available for 1 hour let's say ?
I don't understand your questions completely. The server creates a token, sends it to the client and it's persisted on the client. On each client's request the token is attached which the server verifies. The server does not need to persist the token because otherwise the concept would be the same as server-side sessions. Is that what you asked @LucasTambarin?
Hum I don't know ^^'. i have read that for security behavior. I need to have a refresh token which is long lived let's say 60 days, and with this refresh token I am supposed to create access token that is short lived like 1 hour. When the access token expires I create a new one thanks to the refresh token. And my issue, is I don't know what information should the refresh and access tokens contain and how to create an access token from the refresh one.
I don't get the sense behind having a long-lived and a short-lived token and creating one based on the other. A JWT token is nothing more than a bunch of data (user name, expiry time, whatever you want to verify later) and it's cryptographically signed. Could you explain more what you're trying to achieve and perhaps there's an easier solution for your problem?
auth0.com/blog/… It explains well what I meant ^^
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.