admin管理员组文章数量:1317904
I’m using JWTs for authentication with an accessToken and a refreshToken.
- The
accessTokenis short-lived (e.g., 15 minutes). - The
refreshTokenis long-lived (e.g., 7 days).
When the client uses the /auth/refresh endpoint to get a new accessToken, should I also issue a new refreshToken?
If I do:
- What’s the best way to handle invalidating the old
refreshToken? - Are there security benefits to refreshing the
refreshTokenalong with theaccessToken?
I want to ensure the implementation is secure and follows best practices.
Any advice or recommendations are greatly appreciated!
I haven’t tried refreshing the refreshToken yet, as I’m unsure if it’s necessary. I want to understand whether it’s a best practice to refresh the refreshToken along with the accessToken or if the same refreshToken should be used until it expires.
I’m using JWTs for authentication with an accessToken and a refreshToken.
- The
accessTokenis short-lived (e.g., 15 minutes). - The
refreshTokenis long-lived (e.g., 7 days).
When the client uses the /auth/refresh endpoint to get a new accessToken, should I also issue a new refreshToken?
If I do:
- What’s the best way to handle invalidating the old
refreshToken? - Are there security benefits to refreshing the
refreshTokenalong with theaccessToken?
I want to ensure the implementation is secure and follows best practices.
Any advice or recommendations are greatly appreciated!
I haven’t tried refreshing the refreshToken yet, as I’m unsure if it’s necessary. I want to understand whether it’s a best practice to refresh the refreshToken along with the accessToken or if the same refreshToken should be used until it expires.
- Please provide enough code so others can better understand or reproduce the problem. – David Merinos Commented Jan 22 at 17:34
2 Answers
Reset to default 4Yes, you should issue a new refresh token every time the client requests a new access token. This process, known as refresh token rotation, enhances security by preventing token reuse attacks. If a refresh token is compromised, an attacker won’t be able to use it once a new token has been issued and the old one has been invalidated. This approach ensures that only the latest refresh token remains valid, reducing the risk of unauthorized access.
To properly implement refresh token rotation, you should invalidate the old refresh token whenever a new one is issued. This can be done by storing refresh tokens in a database and marking them as expired upon rotation. Additionally, refresh tokens should be stored securely on the client side, such as in HTTP-only cookies (for web apps) or secure storage (for mobile apps). Monitoring token refresh events can also help detect suspicious activities, such as attempts to use an old refresh token.
Best practices include using short-lived access tokens (e.g., 15 minutes) and longer-lived refresh tokens (e.g., 7 days), but rotating them with every refresh request. Implementing rate limiting can prevent abuse, while keeping a denylist of revoked tokens ensures they cannot be reused. Some alternatives to full rotation include sliding expiration, where the refresh token's validity is extended upon each use, and opaque tokens, which are stored in a database rather than using JWTs. However, refresh token rotation remains one of the most secure and widely recommended approaches.
How we can access token and refresh tokens, basic flow
Let say user logged into app, providing credentials, and app return following
1 Access JWT token with an expired usually less
2 Refresh JWT token with an expired time more than access one.
Client will use access token in the Authorization header and will be sent with every request. Generally 401 is returned for expired token
If application returns 401, the client will try to use refresh token (using an specific endpoint) to get new credentials, isolated to end user.
本文标签: javascriptDo I need to refresh the refresh token when using JWTsStack Overflow
版权声明:本文标题:javascript - Do I need to refresh the refresh token when using JWTs? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742031812a2416583.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论