Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
954 views
in Technique[技术] by (71.8m points)

spring boot - Should I explicitly send the Refresh Token to get a new Access Token - JWT

In my application, I return an access token and a refresh token when a user logs in successfully. The expiration times for access and refresh token have been set to 10 and 40 minutes respectively. (I should do some more research on those values. This is just for testing)

I used the implementation described in following article

http://www.svlada.com/jwt-token-authentication-with-spring-boot/

Let's say I invoke a request to the server after 10 minutes of the login in. Since the access token is expired, I am getting 401 error response.

However, as a beginner, I find it difficult to understand whether I need to send the refresh token explicitly in order to obtain a new access token. If I should do so, how to do that? I should send the refresh token as what? a header?

Or else, when my request is rejected by the server since the access token is expired, should the refresh token itself send a request automatically to the server in order to obtain a new access token?

I found it hard to understand the nature of the behavior of refresh token from the resources I found on the net. Kindly clarify me on these questions.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Yes, the refresh token is used to obtain a new access token.

When you request the access token for the first time, you usually start by sending a token request to the token endpoint, in case of the so called Resource Owner Password Credentials Grant with user credentials in the request header, e.g.

grant_type=password&username=user1&passowrd=very_secret

when the access token is expired, you have to request a new access token. This time, with a refresh token which is still valid, you don't need the user credentials again but send

grant_type=refresh_token&refresh_token=<your refresh token>

instead. This way you don't need to store the user credential on client side and don't need to bother the user again with a login procedure. As you know the expiry time, you can also implement a mechanism to refresh your token before the access_token is expired.

Additionally you can read this for further information about the topic: https://auth0.com/learn/refresh-tokens/

In the following tutorial is also a screenshot of how to use refresh token in postman: http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ (scroll down to step 6) Generally I can recommend reading Taiseer Joudeh's tutorial, esp. for C#, ASP.NET uand Angular programmers.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...