1

I would like to start a project with Spring Boot and JWT. I saw some examples which save the refresh tokens in the database. Do I have to insert refresh tokens into the database, or do I have another best practice way?

And if I have to insert into the database, for removing expired tokens, should I make a job in Spring?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
M.Cyber
  • 13
  • 3
  • I'm not sure about putting lipstick on this one, @PeterMortensen. There's nothing Spring Boot specific neither in the question, nor in the answer, and honestly speaking I'm not 100% convinced the answerer fully understood refresh tokens either. – tevemadar Jul 31 '22 at 09:52

1 Answers1

0

In the case of the refresh token flow, it's the client's responsibility to securely manage the refresh token. Once the access token expires, the client can use an earlier saved refresh token to get new access and an optional refresh token.

As you asked about the approach for storing the refresh token on the server-side, I think storing it in the datastore for later validation purposes while issuing the new access token has one important advantage. By doing so you can always restrict or revoke access to the services. It will make sense in the case where the refresh token has a longer validation time and the server is not issuing a new refresh token with a new access token during the refresh token flow.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
b.s
  • 2,409
  • 2
  • 16
  • 26