Search code examples
androidiosoauthjwtexpress-jwt

App with JWT (oauth?) Flow

I am trying to understand how to implement JWT token authentication in my app.

As I understand, user inputs credentials (user+password) in login request and receives both Access token (say 30 mins) and Refresh token (say 60 days).

Whenever Access token expires, I will use username+refreshtoken to create a new Access token.

1) First question: is it normal that whenever this happens, all my home screen requests will fail until I get the new content and then I will need to re-send the requests with the new access token?. Or should I do the token validation in a splash screen before any other app flow?

This will continue until 60 days pass and refresh token expires. ¿ What happens here?

I don't recall ever facebook or (almost) any app requesting my credentials again.

2) Is the password stored so that app can do a background login again to retrieve both tokens? (I don't want to store password in any way)

-

3) Or is the refresh-token refreshed someway before it expires? (for example it is refreshed as long as user keeps opening the app before 60 days)

Solution

    1. First way is OK in case you provide smooth user experience – e.g. you can differ JWT expiration error from any other error and perform access token update without displaying an error. Second way is used too, please refer to so-called "JWT Sliding Expiration" and consider its pros and cons. The main con is – is it OK that a lot of valid access tokens exist in your authorization server (AS) database?

    2. E.g., somehow related RFC doesn't state that such a background JWT update flow this way is not recommended. However, considering that such entity as refresh token could be used for obtaining fresh access tokens, its compromise can lead to more serious consequences. Therefore, requiring some kind of user action before refresh token update may be appraised as a better practice.

    3. Of course you should consider the case when AS will throw "refresh token expiration" error. Let's consider you have access token + refresh token package, you have two type of errors, just to distinguish them – "Token validation error" (common one, you don't know what is wrong with any of your token) and general "Error" (which is clearly not related to tokens).

    1. You execute some request. The response is "Token validation error". You suggest that access token is expired and perform access token update flow using your refresh token.
    2. You get "Token validation error" response again. You suggest that your refresh token is outdated and start executing refresh token update flow.

    So simple workflow using JWT can look like.