I have read about JWT and access token and refresh token. I understand that you have to set access token expiration in a very short time (minutes) and use refresh tokens to obtain a new access token whenever is expired.
Three things are not clear to me:
- Who checks access token for expiration? Is client checking that and requesting a new access code by sending expired access token along with refresh?
- Who checks refresh token for expiration? (obviously refresh token needs expiration as well although it takes longer to expire).
- From my point of view if a refresh token is expired, the user must be prompted to re-login. This is something that needs to be avoided in some scenarios (mobile apps). How can it be avoided?