recently I've started my project in SpringBoot and Kotlin and I wanted to create user management system. After a few searches, I've looked at this video regarding the implementation of JWT tokens for the authentication process.
Everything seems to work perfectly, besides the fact that currently, I need to pass the username and password in each authentication - which means that the client calling the API needs to either store it or ask for it each time.
After looking in this article it seems that option 3 is actually what I'm looking for. From what I'm understanding the process of authentication should be as follow:
- a client calls the authentication method
- 2 tokens are returned - 1 with a short period which is the authentication token, and one with a longer period which allows renewal of the authentication token.
- Once the authentication token is expired, the client will as to renew the expired token using only those tokens without the original details of the user.
I have 2 questions in this regards:
- From the security perspective - what will happen if a hacker "catches" those 2 tokens? that basically means that the hacker can authenticate as this user from now on without any problem - isn't it?
- More or implementation question, from what I could see,
jjwtdoes not support this functionality (as I can read the information from the token as long as the token did not expire). From my search, I couldn't find something that gives it "out of the box" - is there a standard that to implement this functionally?
