9

I'm developing an Android app and I'm a little confused regarding token and refresh token. Basically now, after user login with mobile number and a code sent by SMS, the authentication server returns an access token that will be used for accessing to all apis. For the authentication server, I've used Laravel with jwt-auth library. When the access token will expired I will ask a new one using the credential of user stored in the AccountManager. Is it the correct way to implement this authentication?

Or I'm missing the refresh token, which I ask a new access token when this expired?

Thanks in advance, Daniele

Lic
  • 1,757
  • 3
  • 14
  • 16

1 Answers1

19

I think it's better to use both token and refresh token, so you don't always have to send your credentials when your access token is expired. Moreover it's not safe to store users credentials on a client device, you should store this informations on your server and ask the user to type it when needed.

Here how I implement the token/refresh token process :

1 : You send your credentials to your authentification server ( it will send you back an access token (I use the JSON web token type wich is not stored in database) and a refresh token ( that is stored in the database).

2 : When you make a request to your server you check if the access token is expired, if it is so, you make a request to your authentification server with the refresh token in paramter in order to have a new access token ( depending on the configuration of your server it could give you back whether a new access token , or a new pair of access token and refresh token which I prefer ).

3: If the refresh token is expired you make a request with your credentials to have a new pair of tokens.

Frédéric
  • 353
  • 4
  • 10
  • thanks Frederic. Finally I used the JWT-auth library for laravel (https://github.com/tymondesigns/jwt-auth/wiki) with this process: 1. user sends his credentials to auth server 2. with the library I create an access token 3. I store this token like a password in AccountManager class of Android 4. When the token expired I request a new one using it 5. If the request of new token fails I ask to user to resend the credentials. Do you think is a right process? – Lic Jul 29 '15 at 12:25
  • Generally we use the refresh token to limit the use of the client credentials being sent over the wire to the auth service. "The shorter the time to live of the access-token, the more often the client credentials will have to be used to obtain a new access-token, and therefore the more opportunities attackers have to compromise the client credentials . So if you have a single-use refresh-token, you can make the ttl of access-tokens arbitrarily small without compromising the client credentials." on http://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens – Frédéric Jul 29 '15 at 12:41
  • 1
    @Frédéric : if your refresh token leaks for example due to rooted Android phone --> then the attacker can keep on renewing the token . do you generate a unique refresh token for each user ? – j10 Jun 17 '17 at 10:39