Theo recent auth video on JWT
Hi, the timestamp is 5:03 on theo recent video on different auth options.
Im confused, currently my understanding is refresh tokens only ever get invalidated if the user sign outs or it expires. This is to force the user to sign in if refresh tokens only ever expires for security purposes
But in theo video, he actually creates a refresh token whenever the acess token needs to be created. This results in the user to always be signed in unless they havent touched the app longer than refresh token expiration
The only difference between the two is the user experience as far as i can see
The user will never sign out with the solution shown in theo video
Whereas using same refresh token until it expires forces user to sign in again for security purposes
Which is the most preferred and secure way? Or are both methods acceptable?
7 Replies
I haven't seen the video yet.
Maybe its' so that even if an attack happens, we make sure to always use new tokens, so that old token will not work even if the attacker has that token? The method you mentioned is similar but instead of tokens, they are called sessions. user is logged in until session expires. One session can have many tokens, and that is to make it hard for attackers to gain control
But i am confused though since tokens cant be invalidated
so the tokens are still existing just not inside the cookie
but that doesnt stop someone from hijacking once they get access to it and renewing refresh tokens and using them unlimitedly sine they cant be invalidated and even if they were somehow via blocklist, doesnt this pose a security issue as the user never has to login
the second method you mentioned that I mentioned 😅 , is still using jwt but we dont refresh the refresh token
we just let it expire or once user signs out we expire the refresh token forcing user to login and get new access/refresh tokens
thank you for responding! i thought no one would respond
Not quite. Per se. When I do this, I usually have a token life of 5-10 seconds depending on how long I'm expecting that api to take to respond. Also when new token is generated/refreshed, the backend should note that there is a new token in play and only that can be validated. Meaning only the new saved token will be allowed. Rest tokens are by default won't match the token, therefore invalid
Basically always save the latest jwt token against a user
And also set the expiry to a limited amount of time
Depending on use case
Oh so storing in the database the refresh token
Like a session?
At least to my understanding, you could revoke/invalidate refresh tokens very easily. Whether you do, or you rely on cryptographic algorithms is up to the implementation.
In general, refresh token are meant to be used once - at least as per RFC.
In my experience in working with all sorts of APIs, reality is different. I’ve even some old hobby projects with hardcoded refresh token, because they have basically no exp.
To summarise: refresh token are ment to be long lived but used once. Implementation is often long lived, endless use.
If and when you want to force the user to login again with a password/passkey is up to you.
Zoom or Hubspot annoy me every fucking day in their web apps, Google, OneDrive, Miro keep me going for ever, if I connect every couple of days.
how are you going to have up to date information in refresh token, if you dont rotate refresh token with access token.
each time to request access token are the times when you do operations that requires token rotation. In each of those times you want refresh token to have up to date information about user.
ip or user role might have been changed
Ohh okay thanks everyone, it seemed i misunderstood jwt refresh tokens
I thought refresh could be used as many times until user signs out
In addition, for my app yes I do have roles but in some apps there isnt any roles just email. But ive seen them use jwt.
Thanks too!