27

I am using jsonwebtoken in NodeJs API application for authenticating user in my API application. The flow that I have setup is as follows:

1) The user registers through signup API and the access token is generated using the following:

var jwt = require('jsonwebtoken');
var token = jwt.sign(user, _conf.authentication.superSecret, {
    expiresIn: 1440 // I intend to keep it short.
});

2) The token expires in 24 hours for example. This token is returned to the client mobile application to use as header in all the subsequent API requests.

I want to know how do I work around with refresh token for jwt. Currently I don't have a mechanism for refreshing token. Hence if the token expires in 24 hours I want the client (mobile app) to be able to request a new access token. Thanks in advance.

XCEPTION
  • 1,671
  • 1
  • 18
  • 38
  • Have a look at my post here: http://stackoverflow.com/questions/38766688/understanding-json-web-token-jwt-in-context-of-web-authentication It explains a setup using refresh tokens. – B M Aug 06 '16 at 12:15

1 Answers1

37

I had same problem in a project.

1) I created the refresh token and returned it when user signed in (with the jsonwebtoken). I saved the refresh token with the user.

2) When client send a request with the expired token, server returns 401.

3) I implemented a new path to refresh the token. It receives the refresh token and the user as param and returns a new token (jsonwebtoken).

4) (optional) You can implement a mechanism for invalidating a refresh token, in case someone stole it

I based my implementation in this post, really good snippets:

Refresh token in JWT (Node.js implementation)

Hope it helps

Vladyslav Zavalykhatko
  • 15,202
  • 8
  • 65
  • 100
David Vicente
  • 3,091
  • 1
  • 17
  • 27