DEV Community

Discussion on: API Authentication Workflow with JWT and Refresh Tokens

Collapse
gokayokyay profile image
Gökay Okyay Author

Hey, it's a very good point!
The refresh tokens can be very long-lived JWTs but in this case you'll want to handle refresh token creation/expiration differently than I've mentioned above. Maybe you can create a logic something like that users need to post their expired refresh tokens with jwts. Than you check them both and verify that they belong to the same user and create another refresh token and jwt. Hopefully I could answer your question :)

Collapse
kritish58 profile image
Rishi58 • Edited

thank you for your response,

1.store refreshToken=>token in redis db in server (if we can store in redis server will that cache remain alive till the refresh_token remains alive -like for 2-3 days or even a week)

2.whenever server recieves an expired token, it verfies the expired token from that mapping in no.1 and sends a new token to the client

3.I can store refreshToken in a cookie with better security like {sameSite} {httpOnly} {secured} and send it to server in every request from client

please correct me if this understanding is wrong, thank you

Collapse
farshadahmadi profile image
Farshad Ahmadi Ghohandizi

If access and refresh tokens are gonna be saved to (Redis) DB, should they be hashed? I assume they should.