I've been trying to find a guide to implement an auth API in Rails 6 that uses JWT+Refresh tokens, and consumes it with a React client that doesn't save the tokens in localStorage but in memory (almost every single tutorial I've read uses a toy app with localStorage instead of an acceptable kind of production-ready solution).
I've found that Doorkeeper is a good solution in the backend, and I'm using it with the doorkeeper-jwt gem, that transforms the access token into a JWT, but it doesn't do the same for the refresh token (meaning it's not a JWT, but just an encoded token). I tried to look into the gem to replicate the behavior for the refresh token but I'm not that good on Ruby so I couldn't do it.
Is there a guide around on how to convert that refresh token into a JWT?
Thanks.
Is there a guide around on how to convert that refresh token into a JWT?
I don't like to answer a "how do I..." question with "don't", but the reason you're not finding readily available way to do so because it's harmful and not something that you should be doing.
JWTs, in general, are useful because they can be verified based on a public key, without having to contact a remote service to check their validity. This is extremely problematic for long-lived tokens because revocation no longer works. This would be a severe security problem for refresh tokens, which are extremely long-lived and MUST be revocable.
The only service that is able to validate a refresh token is the issuer itself (ie, Doorkeeper), and the only way the token can be used is in a request to the issuer to request a new access token. The issuer doesn't need its own tokens to be signed, it does the more correct thing of checking whether the refresh token matches an unrevoked token in its database before issuing a new access token.
All other services should treat the refresh token as opaque, store it securely, and use it for the sole purpose of requesting new access tokens from the OAuth2 provider. No JWT verification is necessary in any part of this.