Android refresh token

9
votes

I'm developing an Android app and I'm a little confused regarding token and refresh token. Basically now, after user login with mobile number and a code sent by SMS, the authentication server returns an access token that will be used for accessing to all apis. For the authentication server, I've used Laravel with jwt-auth library. When the access token will expired I will ask a new one using the credential of user stored in the AccountManager. Is it the correct way to implement this authentication?

Or I'm missing the refresh token, which I ask a new access token when this expired?

Thanks in advance, Daniele

1
androidauthenticationrefreshtokenjwt
never ever store user credentials in a local database. you should be using a refresh token. - Tomer Shemesh

1 Answers

17
votes

I think it's better to use both token and refresh token, so you don't always have to send your credentials when your access token is expired. Moreover it's not safe to store users credentials on a client device, you should store this informations on your server and ask the user to type it when needed.

Here how I implement the token/refresh token process :

1 : You send your credentials to your authentification server ( it will send you back an access token (I use the JSON web token type wich is not stored in database) and a refresh token ( that is stored in the database).

2 : When you make a request to your server you check if the access token is expired, if it is so, you make a request to your authentification server with the refresh token in paramter in order to have a new access token ( depending on the configuration of your server it could give you back whether a new access token , or a new pair of access token and refresh token which I prefer ).

3: If the refresh token is expired you make a request with your credentials to have a new pair of tokens.