User authentication in client-server application using JWT?

W

Wondermarin2020-03-21 01:19:58

User identification

Wondermarin, 2020-03-21 01:19:58

Hello, I did authorization in a SPA application using JWT, but the question arose: how to deal with the user when the token expires? You can just force him to re-authorize, but this option is not very user-friendly. Perhaps a better solution would be to refresh the token through a refresh token, but how to implement this option?
Let's say: the validity of the token is 7 days, the validity of the refresh-token is 8 days. And if the user logs in on day 7, then the token is updated and he again has 7 days left, but in this case, security suffers. Is there a better option?

And in general, is it appropriate to use JWT in this case?

I have never met API authorization before, so do not kick your feet.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexey Blyshko, 2020-03-21
@Wondermarin

The action of the token is 15 minutes.
The action of the refresh token is 7 days. (one-time)
When updating, both tokens are updated at once.
The update happens transparently for the user according to the logic on the frontend - if the token has less than a minute left to live - we go and get a new one before the next request.
In total, we get the opportunity to check authorization and block the user only once every 15 minutes,
and the user can not enter a password for a whole week.