2

Hi I have a couple questions about JWT refresh tokens and how they work. I've tried to research online but haven't been able to find answers to the following questions:

  • When should a refresh token be refreshed?
  • What is a proper lifespan of a refresh token?
  • Where should the refresh token be stored?

Thanks!

J.Kirk.
  • 943
  • 3
  • 12
  • 32

1 Answers1

0

Refresh tokens have a lifetime, just like access tokens. However, the lifetime of a refresh token is typically much longer than that of an access token.

Refresh tokens can have lifetimes of months or years. When they expire, you'll need to end-user to re-authenticate with the authorization server for it to issue a new access token and refresh token.

Refresh tokens are typically used by confidential clients and stored on the server side in a database.

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93
  • Thank you for your answer @MvdD - One thing I'm still uncertain of. Don't you refresh the refreshtoken everytime you grant a new accesstoken? In a scenario where you have a refreshtoken with a lifespan of 7d and the user logs in every day he would never have to reauthenticate but would be 'permanently' logged in since he renews the refresh token ever time before it expires? – J.Kirk. Apr 12 '18 at 09:43
  • Refresh tokens are intended to be used by the client to get a new access token without bothering the actual user (who may not be there in case of offline access) with an authentication prompt. If the user logs in every day, you get back a new refresh token every day which is valid for the same amount of time. I described OAuth flows and refresh tokens in more detail here: https://stackoverflow.com/a/31768524/18044 – MvdD Apr 12 '18 at 15:09