Should refresh token request includes the expired jwt access token?

1
votes

I am implementing web application using angular and asp.net core. I made custom authentication using Jwt .NET libraries. I am not using any identity server provider. After authenticate the user I return access token with refresh token:

{access_token:""eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....", refresh_token:"GDSDSGFDS..."}

When request refresh token should I send the expired access token and validate it or refresh token is enough?

I read about not storing the refresh token in the browser (angular side). Is there another option to apply the refresh token scenario?

1
angular.net-coretoken
Save it as a cookie, then the browser handles it and with the credentials flag angular will put it to the request, thats the most secure way. There is a good post about it: dev.to/rdegges/please-stop-using-local-storage-1i04 For refreshing it, it depends on your needs. You could save the token on setup in the database and validate it on refresh if it is the same, if it does make sense or not, i would feel more secure about it. - JohnnyDevNull

1 Answers

2
votes

I would say sending refresh_token is enough, from client side point of view. But in case the database got compromised, attackers can look up for the refresh_token in the database.

I read about not storing the refresh token in the browser (angular side)

My suggestion is to store refresh token in local Storage and have a short-expiration time access-token.