Handle JWT token and cas login state

Question

I've some trouble about the logic of handling my SSO login with cas and the jwt state.

Before starting: User to auth to my app, need to visit cas including as a parameter in url the name of app that need to gain access, ex: myapp.com

After the login the user get redirected with 302 to my app, with a JWT appended in the url: myapp.com/?service=JWT-blablabla

This is how I imagined the flow of the app to check if the user is logged or not or if he's coming with a jwt

I have some question:

1. If the user come with a valid jwt appended but he still have in localstorage a valid JWT, which JWT have the priority the one with the freshest expire time or the old one get automatically invalidate by cas? Remember that the jwt need to be validate by my backend

2. In my http calls I append my bearer jwt, the problem is that I cache my http calls, if the jwt expire and the user don't make http calls, how can I handle that? I need to logout the user I can't wait to make an http call and tell him it's invalid or should I?

Answer 1

Having implemented SSO recently myself, here are some answers to your questions:

1. The newest token should take priority, but why is this even happening, i.e. why is there a new jwt token in the url? If the user goes to the login page while they still have a valid jwt token in local storage, they should be redirected to your home page (or somewhere), ps. you cannot invalidate a jwt token.

2. Once the token has expired, your server should return a 401 response; this is what you should look out for. Check if the user has a jwt token in local storage, and if they also receive a 401, then you know the token has expired so make a call to your api to refresh the token, without redirecting the user to the login page.

Hope this helps.