1
votes

I have some questions about implementing refresh tokens. I searched a lot but found nothing :

  1. Do I have to use jwt for Refresh Token or it can be a hashed string? What are the benefits of using jwt in Refresh Tokens?

  2. Should Refresh Tokens have an expiration time? I want to use Refresh Tokens for remember me feature, so if the user comes back to the website or mobile app after a month, he should be able to continue as a logged in user.

  3. Do I have to send Refresh Token to client? (As we store it in database and we delete it in logout)

2

2 Answers

2
votes

I am using JWT token for refresh purposes. It has different claims as access token. Additionally I am storing some refreshKey claim which is also stored in database. This approach allows me to revoke this token just in case(for example user blockage functionality).

  1. Benefits : You have the same validation mechanism as for access token (validity check, expiration date etc).
  2. Usually refresh tokens has very long expiration time (way longer then access token). Using long access tokens is not recommended, as you are not able to revoke them. It is fine to have long lasting refresh token as long as you can revoke them.
  3. Yes you have to send it to client, to keep you architecture stateless (I suppose this is your purpose of using JWT)
2
votes
  1. Refresh token is to be used by the client to acquire a new access token from the server. So, the format of the refresh token is completely upto the authorization server that issues token. If you are issuing 'Access Token' and 'Refresh Token' then it is easier to have the same format i.e. JWT format.
  2. Refresh tokens must have expiry time. It can be much longer than regular access token expiry time. It can always be made configurable by the resource.
  3. You should send the refresh token to the client so that the client can use it to request a new token.