1

Given an API which uses token authentication (e.g., JWT), how would a client store and cache the token? To remedy the effect of stolen tokens, tokens usually expire after a certain amount of time. However, almost all applications require only to login once. How do they realize authentication? Do their tokens have no validity period or do the apps automatically apply for a new token?

Green绿色
  • 1,620
  • 1
  • 16
  • 43

1 Answers1

1

You can store your token in an Account Manager on Android. Regarding token validity all apps have this tokens expire from within hours to days depending on how fast you want to change them.

There is no specific way to handle expired tokens you will have to write your own custom logic for this. Generally what a lot of apps follow is if the user's token has expired they use an api that takes the old token and if the token is not a very old like if it expired within 1 - 2 days they give back a new token but if in any case the token is historic they will logout the user and ask him to again login by providing password and username via your basic OAuth mechanism.

Taranmeet Singh
  • 1,199
  • 1
  • 11
  • 14
  • I see. I also thought about the approach to issue a new token given an old token, but wouldn't this undermine the purpose of token validity expiration? Everyone could just apply for a new token based on a stolen one. – Green绿色 Jan 13 '22 at 06:06
  • @Green绿色 you need to go through OAuth 2 they have ways to avoid this issue. – Taranmeet Singh Jan 13 '22 at 06:10
  • You can check this documentation https://www.oauth.com/oauth2-servers/making-authenticated-requests/refreshing-an-access-token/ – Taranmeet Singh Jan 13 '22 at 06:11
  • Thanks for hinting that documentation. I also found [a similar question](https://stackoverflow.com/questions/26739167/jwt-json-web-token-automatic-prolongation-of-expiration). Looks like this threat can be mitigated by issuing and frequently changing refresh tokens, but it's still there. I guess, maybe reviewing [this document](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics) could make something clear to me. – Green绿色 Jan 13 '22 at 06:31