Login/Register
Should I explicitly send the Refresh Token to get a new Access Token - JWT
Asked Answered
Solved spring-bootspring-securityjwtaccess-tokenrefresh-token
V

1

18

In my application, I return an access token and a refresh token when a user logs in successfully. The expiration times for access and refresh token have been set to 10 and 40 minutes respectively. (I should do some more research on those values. This is just for testing)

I used the implementation described in following article

http://www.svlada.com/jwt-token-authentication-with-spring-boot/

Let's say I invoke a request to the server after 10 minutes of the login in. Since the access token is expired, I am getting 401 error response.

However, as a beginner, I find it difficult to understand whether I need to send the refresh token explicitly in order to obtain a new access token. If I should do so, how to do that? I should send the refresh token as what? a header?

Or else, when my request is rejected by the server since the access token is expired, should the refresh token itself send a request automatically to the server in order to obtain a new access token?

I found it hard to understand the nature of the behavior of refresh token from the resources I found on the net. Kindly clarify me on these questions.

Vivisectionist answered 7/7, 2017 at 17:34 Comment(0)
W
16

Yes, the refresh token is used to obtain a new access token.

When you request the access token for the first time, you usually start by sending a token request to the token endpoint, in case of the so called Resource Owner Password Credentials Grant with user credentials in the request header, e.g.

grant_type=password&username=user1&passowrd=very_secret

when the access token is expired, you have to request a new access token. This time, with a refresh token which is still valid, you don't need the user credentials again but send

grant_type=refresh_token&refresh_token=<your refresh token>

instead. This way you don't need to store the user credential on client side and don't need to bother the user again with a login procedure. As you know the expiry time, you can also implement a mechanism to refresh your token before the access_token is expired.

Additionally you can read this for further information about the topic: https://auth0.com/learn/refresh-tokens/

In the following tutorial is also a screenshot of how to use refresh token in postman: http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ (scroll down to step 6) Generally I can recommend reading Taiseer Joudeh's tutorial, esp. for C#, ASP.NET uand Angular programmers.

Whorton answered 7/7, 2017 at 18:55 Comment(3)
can u give me a hint of how should i send the refresh token using a tool like postman. Does it depend on how the server has been implemented?Vivisectionist
I added some more information to my answer, esp. a link to a tutorial that also illustrates the handling of refresh tokens in postmanWhorton
hi @jps, I am still looking around for an exact answer and trying. The implementation infact does not support OAuth i think. I cannot see the grant type being used any of the places in my implementation. I am still trying and will let you know the proceedings. Some spring security stuff to be unclearedVivisectionist

© 2022 - 2024 — McMap. All rights reserved.