In JWT (JSON Web Tokens) authentication, refresh tokens are used to obtain new access tokens. Access tokens typically have a limited lifespan, usually ranging from a few minutes to a few hours. When an access token expires, the user would need to re-authenticate to obtain a new one. However, this can be cumbersome and disruptive to the user experience.
To avoid this, JWT provides refresh tokens that can be used to obtain a new access token without the user having to re-authenticate. The refresh token is a long-lived token that can be used to request new access tokens after the original access token expires.
Here's how it typically works:
The user authenticates with their username and password, and the server returns both an access token and a refresh token.
The access token is used to make authenticated requests to protected resources.
When the access token expires, the client sends a request to the server with the refresh token to request a new access token.
The server checks the refresh token to ensure it is valid and not expired. If it is valid, the server returns a new access token and a new refresh token. If the refresh token is invalid, the server responds with an error.
It's important to note that refresh tokens should be stored securely, as they have the potential to grant access to protected resources for a long period of time. Best practices for securely storing refresh tokens include encrypting them and using secure storage mechanisms such as secure cookies or local storage.
How does it works??
Let's say you're building a web application that requires users to authenticate before accessing protected resources. You're using JWT for authentication, and you've set the access token lifespan to 15 minutes. After 15 minutes, the access token expires, and the user needs to re-authenticate to obtain a new one. To avoid this, you decide to use refresh tokens.
Here's how refresh tokens work in this scenario:
1. User authenticates: The user provides their username and password to the server to authenticate. If the authentication is successful, the server generates an access token and a refresh token and sends them back to the client.
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
2. Access token is used: The client includes the access token in the Authorization header of every authenticated request to the server. The server verifies the access token and grants access to protected resources if the token is valid.
GET /api/protected HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
3. Access token expires: After 15 minutes, the access token expires, and the server responds with a 401 Unauthorized error if the client tries to use it again.
HTTP/1.1 401 Unauthorized
{
"error": "Access token has expired"
}
4.Refresh token is used: To obtain a new access token, the client sends a request to the server with the refresh token in the body of the request. The server verifies the refresh token and generates a new access token if the token is valid.
POST /api/refresh-token HTTP/1.1
Content-Type: application/json
{
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
5. New access token is returned: If the refresh token is valid, the server generates a new access token and sends it back to the client.
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
}
6. Refresh token is updated: The server can also generate a new refresh token and send it back to the client along with the new access token, or it can keep using the same refresh token. If a new refresh token is generated, the client should store it securely and use it in the next refresh request.
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
This process continues until the user logs out or the refresh token expires. Refresh tokens typically have a much longer lifespan than access tokens, so they can be used to obtain new access tokens for an extended period of time without requiring the user to re-authenticate.
Top comments (0)