My understanding on the way server verifies a user using JWT is that server hashes the payload part of JWT with its own secret key and then compares the result against the signature part of JWT. If the two matches, then the request made by the user is valid.
However, I am not able to find out how people generate different JWT when a user refreshes the token. To me, in order to ensure a unique JWT is generated when the token is refreshed, the payload needs to changed, say by adding expiration date + user id. However, most resources online don't mention the process of generating a new unique JWT when the old one is expired. Am I missing something here? Do people not generate unique JWT when the old one is expired and instead, simply extends the lifetime of JWT on server side?
My understanding on the way server verifies a user using JWT is that server hashes the payload part of JWT with its own secret key and then compares the result against the signature part of JWT. If the two matches, then the request made by the user is valid.
Yes, it is.
However, I am not able to find out how people generate different JWT when a user refreshes the token.
The signature will be different for different payloads, even if the change is minimal. Usually are included date claims such as exp and iss that make the token always different.
Do people not generate unique JWT when the old one is expired and instead, simply extends the lifetime of JWT on server side?
no, because it would require maintaining sessions and you lose the advantages of using JWT. When refreshing, a new token is issued.