Answer the question
In order to leave comments, you need to log in
Does refresh_token need to be JWT if access_token is JWT?
I decided to use identification, authentication and authorization by JWT token for the REST API.
and there were questions when implementing the refresh of tokens.
Here I have a request -
POST auth/refresh_token - should return access_token and refresh_token.
And here is the rub. Everywhere they write that the client must send both access_token and refresh_token.
Isn't one refresh_token enough?
And I saw a lot where refresh_token is doing JWT, why? After all, refresh_token is not used in other services, what's the point of making it jwt?
I here store refresh_token in a DB in the table with fields: id, user_id. refresh_token,expired(token expiration time)
Accordingly, when the client sends a refresh_token, I look for it in the database, if it does not find it, I return an error that the client is not authorized.
Then I check the refresh_token expiration date. if the validity period has expired, I return an error that the client is not authorized, and if everything is fine, I generate tokens, delete the old refresh_token, save the new one and return the access_token and refresh_token to the client. Further, for other requests to the API, the access_token is used accordingly.
I don’t know, it seems to me that having a refresh_token in jwt form is useless
Answer the question
In order to leave comments, you need to log in
Let's start with the fact that JWT is not authentication, much less authorization. This is the token format. Authentication happens through the Delegation protocol oauth or oidc. The token format is not regulated in them. Do what is more convenient for you
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question