Hey everyone, this is my first post so go easy on me :P
So I want this post to help anyone who wants to build an authentication system. I'm sharin...
For further actions, you may consider blocking this person and/or reporting abuse
How mobile authentication should be different?
Hey! Sorry for the late reply.
Actually it's very similar but the refresh token part. In mobile apps, the API's that mobile OS provides us differ, therefore, we can change the structure of our JWT and refresh token. For example if your app is doing something critical, you'll probably want to make your JWTs short-lived, say 5 minutes and make your refresh token a JWT (which will live longer). Or if your app is not doing something critical, you may want your JWT to live longer than 30 minutes. But the idea is the same :)
I have a question, Isn't refresh token supposed to be another jwt token with longer expiry time?, In that case how would you update the redis db that has refresh jwt after it expires
Hey, it's a very good point!
The refresh tokens can be very long-lived JWTs but in this case you'll want to handle refresh token creation/expiration differently than I've mentioned above. Maybe you can create a logic something like that users need to post their expired refresh tokens with jwts. Than you check them both and verify that they belong to the same user and create another refresh token and jwt. Hopefully I could answer your question :)
thank you for your response,
1.store refreshToken=>token in redis db in server (if we can store in redis server will that cache remain alive till the refresh_token remains alive -like for 2-3 days or even a week)
2.whenever server recieves an expired token, it verfies the expired token from that mapping in no.1 and sends a new token to the client
3.I can store refreshToken in a cookie with better security like {sameSite} {httpOnly} {secured} and send it to server in every request from client
please correct me if this understanding is wrong, thank you
If access and refresh tokens are gonna be saved to (Redis) DB, should they be hashed? I assume they should.
In second scenario you wrote that when server receive expired token, it sends unauthorized response to client.
Client recieve unauthorized response and hit refresh endpoint.
My question: where should I store logic for my refresh endpoint? Do I need second server for that?
I have a few suggestion and I don't know which is better.
Hey! Sorry for the late reply.
It depends on the architecture for your web app. If you use microservices architecture, you could possible create another service for the token refreshing service and put the logic in there.
Thanks so much for this.