OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

JWT-Based Authentication Flow with Access and Refresh Tokens

  • Thread starter Thread starter Petar Ivanov
  • Start date Start date
P

Petar Ivanov

Guest
I'm currently working on an authentication system using JWTs and would like to get some feedback and opinions from the community. Auth Flow Diagram

Overview of the Flow: Initial Login:


  • User sends credentials to the server.


  • Server validates and responds with an AccessToken and a RefreshToken.


  • AccessToken is short-lived and used for accessing protected endpoints.


  • RefreshToken is long-lived and used to obtain new AccessToken when it expires.

Token Expiry Handling:


  • When an AccessToken expires, the client sends a request to the /refresh-token endpoint with the RefreshToken.


  • Server validates the RefreshToken, generates new tokens, and sends them back to the client.


  • Client updates the stored tokens and retries the original request.

Key Points: No Persistent Storage for Refresh Tokens:

  • Refresh tokens are only stored in the client's cookies.

Token Rotation:

  • Each time a RefreshToken is used, a new AccessToken and RefreshToken are generated.

Secure Flags:

  • Cookies are set with HttpOnly, Secure, and SameSite flags.

Questions and Concerns: Token Invalidation:

  • Without persistent storage, how can I effectively invalidate tokens on logout or admin actions?

Revocation Strategy:


  • Is implementing a revocation list (JWT blacklisting) or using session metadata a viable approach to handle token invalidation? What are the pros and cons of these methods?


  • Are there other strategies to manage token invalidation that balance security and complexity?

I'd appreciate any feedback, suggestions, or resources you can share. Thanks in advance!

<p>I'm currently working on an authentication system using JWTs and would like to get some feedback and opinions from the community.
<a href="https://i.sstatic.net/Z4GlgWvm.png" rel="nofollow noreferrer">Auth Flow Diagram</a></p>
<p>Overview of the Flow:
Initial Login:</p>
<ul>
<li><p>User sends credentials to the server.</p>
</li>
<li><p>Server validates and responds with an AccessToken and a RefreshToken.</p>
</li>
<li><p>AccessToken is short-lived and used for accessing protected endpoints.</p>
</li>
<li><p>RefreshToken is long-lived and used to obtain new AccessToken when it expires.</p>
</li>
</ul>
<p>Token Expiry Handling:</p>
<ul>
<li><p>When an AccessToken expires, the client sends a request to the /refresh-token endpoint with the RefreshToken.</p>
</li>
<li><p>Server validates the RefreshToken, generates new tokens, and sends them back to the client.</p>
</li>
<li><p>Client updates the stored tokens and retries the original request.</p>
</li>
</ul>
<p>Key Points:
No Persistent Storage for Refresh Tokens:</p>
<ul>
<li>Refresh tokens are only stored in the client's cookies.</li>
</ul>
<p>Token Rotation:</p>
<ul>
<li>Each time a RefreshToken is used, a new AccessToken and RefreshToken are generated.</li>
</ul>
<p>Secure Flags:</p>
<ul>
<li>Cookies are set with HttpOnly, Secure, and SameSite flags.</li>
</ul>
<p>Questions and Concerns:
Token Invalidation:</p>
<ul>
<li>Without persistent storage, how can I effectively invalidate tokens on logout or admin actions?</li>
</ul>
<p>Revocation Strategy:</p>
<ul>
<li><p>Is implementing a revocation list (JWT blacklisting) or using session metadata a viable approach to handle token invalidation? What are the pros and cons of these methods?</p>
</li>
<li><p>Are there other strategies to manage token invalidation that balance security and complexity?</p>
</li>
</ul>
<p>I'd appreciate any feedback, suggestions, or resources you can share. Thanks in advance!</p>
 

Latest posts

M
Replies
0
Views
1
Meliodas Dragon
M
Top