admin管理员组

文章数量:1317904

I’m using JWTs for authentication with an accessToken and a refreshToken.

  • The accessToken is short-lived (e.g., 15 minutes).
  • The refreshToken is long-lived (e.g., 7 days).

When the client uses the /auth/refresh endpoint to get a new accessToken, should I also issue a new refreshToken?

If I do:

  • What’s the best way to handle invalidating the old refreshToken?
  • Are there security benefits to refreshing the refreshToken along with the accessToken?

I want to ensure the implementation is secure and follows best practices.

Any advice or recommendations are greatly appreciated!

I haven’t tried refreshing the refreshToken yet, as I’m unsure if it’s necessary. I want to understand whether it’s a best practice to refresh the refreshToken along with the accessToken or if the same refreshToken should be used until it expires.

I’m using JWTs for authentication with an accessToken and a refreshToken.

  • The accessToken is short-lived (e.g., 15 minutes).
  • The refreshToken is long-lived (e.g., 7 days).

When the client uses the /auth/refresh endpoint to get a new accessToken, should I also issue a new refreshToken?

If I do:

  • What’s the best way to handle invalidating the old refreshToken?
  • Are there security benefits to refreshing the refreshToken along with the accessToken?

I want to ensure the implementation is secure and follows best practices.

Any advice or recommendations are greatly appreciated!

I haven’t tried refreshing the refreshToken yet, as I’m unsure if it’s necessary. I want to understand whether it’s a best practice to refresh the refreshToken along with the accessToken or if the same refreshToken should be used until it expires.

Share Improve this question asked Jan 22 at 17:09 taytaybeartaytaybear 212 bronze badges 1
  • Please provide enough code so others can better understand or reproduce the problem. – David Merinos Commented Jan 22 at 17:34
Add a comment  | 

2 Answers 2

Reset to default 4

Yes, you should issue a new refresh token every time the client requests a new access token. This process, known as refresh token rotation, enhances security by preventing token reuse attacks. If a refresh token is compromised, an attacker won’t be able to use it once a new token has been issued and the old one has been invalidated. This approach ensures that only the latest refresh token remains valid, reducing the risk of unauthorized access.

To properly implement refresh token rotation, you should invalidate the old refresh token whenever a new one is issued. This can be done by storing refresh tokens in a database and marking them as expired upon rotation. Additionally, refresh tokens should be stored securely on the client side, such as in HTTP-only cookies (for web apps) or secure storage (for mobile apps). Monitoring token refresh events can also help detect suspicious activities, such as attempts to use an old refresh token.

Best practices include using short-lived access tokens (e.g., 15 minutes) and longer-lived refresh tokens (e.g., 7 days), but rotating them with every refresh request. Implementing rate limiting can prevent abuse, while keeping a denylist of revoked tokens ensures they cannot be reused. Some alternatives to full rotation include sliding expiration, where the refresh token's validity is extended upon each use, and opaque tokens, which are stored in a database rather than using JWTs. However, refresh token rotation remains one of the most secure and widely recommended approaches.

How we can access token and refresh tokens, basic flow

Let say user logged into app, providing credentials, and app return following

1 Access JWT token with an expired usually less

2 Refresh JWT token with an expired time more than access one.

Client will use access token in the Authorization header and will be sent with every request. Generally 401 is returned for expired token

If application returns 401, the client will try to use refresh token (using an specific endpoint) to get new credentials, isolated to end user.

本文标签: javascriptDo I need to refresh the refresh token when using JWTsStack Overflow