2

What is the preferred way to refresh a token when not working with Refresh Tokens, OAuth etc?

I just create a JWT when user authenticates against my API which is valid for some minutes.

The token is then used in an interceptor to access the secured routes of my API.

I would like to refresh the token a few minutes before the old token expires without redirecting the user to the login screen.

Technically this is not a problem (also without a refresh token).

But is it secure to just refresh it all the time? I think I already know the answer... it is NO.

I know that working with a refresh token is the preferred way.

But is there another way? How do you implemented such an behavior?

Nikhil
  • 6,493
  • 10
  • 31
  • 68
chris1302
  • 123
  • 12

1 Answers1

2

One approach is to use existing token as a refresh token.

In your interceptor, or wherever you are checking if user is authenticated, you can also check if the token is near to expiration.

You can decode the token to find its expiration date and time. You can chose to renew it when it is X days before expiration or whenever you want.

Remember, you can decode JWT tokens without knowing the secret key. A secret key is needed for decrypting a token but not for decoding. You can use a library like jwt-decode to decode the token or write a function to do it by yourself.

On the backend, you should have an API endpoint which accepts current JWT token and if valid, creates and returns a new token with same content.

But is it secure to just refresh it all the time?

As you already know, it is not secure to refresh it all the time. This is because if a malicious entity has access to a token, they can renew it to get a new token with extended expiration. This new token can be used to renew again just before expiration. This could go on indefinitely until we identify those tokens and stop their renewal.

A few steps you can take to make it somewhat more secure:

  • Keep track of renewal count for each user on the backend and stop renewing after a threshold is reached.
  • Stop renewing tokens issued before X weeks or certain time.

This way after some renewals or after certain time, user has to authenticate again and get a new token.

Nikhil
  • 6,493
  • 10
  • 31
  • 68
  • Thank you for your answer. This is exactly what I am currently doing. I just thought about if there is a better way of refreshing the token. Maybe not to refresh it automatically but show the user a popup that the token is about to expire with an option to extend it. Would it give some more security when it not happens automatically? – chris1302 Oct 31 '19 at 19:44
  • You're welcome @chris1302. Yes, that is another option to let the user decide to extend the session. It wouldn't inherently give any more security but chances are a user might decide to logout and login again, which is better. But most often people will just extend it, and when repeated often it becomes annoying to the user. It is a trade-off between security and user experience. I'm interested in knowing other options as well. Let us wait for other answers. – Nikhil Oct 31 '19 at 19:56
  • I think the effect of refreshing the token automatically all the time is like setting the token to "never expire". But I am with you. I would like to hear some other options as well. – chris1302 Oct 31 '19 at 21:20
  • No, I do not think it is like that. Because you can only refresh it as long as it is valid. So if a malicious actor gets hold of it, he can only use it until it is valid. If is is still not valid, he can't even refresh it. – Sobvan Nov 02 '19 at 21:36
  • @Sobvan - It is right that a user can refresh it only until it is valid. But after renewal, a new token with extended expiration is issued which can be used to renew again just before expiration. This could go on indefinitely. As I mentioned, we could however stop renewing them by checking issued date/time or based on other criteria. I edited my answer to make this more clear. – Nikhil Nov 02 '19 at 22:17