I have a mobile app that implements JWT authentication with the backend. Access tokens are short-lived (1h) and are not stored on the backend. Now for the refresh tokens:
If refresh tokens have an expiration it means users will be periodically logged out which is highly undesirable from the business standpoint, it can harm user retention. Is there a way to avoid this without weakening the security, e.g. making refresh tokens "eternal"?
What's the best way of storing and cleaning up the refresh token table that would prevent accumulation of unused tokens? Say I have the following table structure:
user_id
,device_id
,refresh_token
. If the strategy is to never expire the refresh tokens, the only way to invalidate them would be when a user logs out. However, users can also delete the app, lose or damage the device, or have theirdevice_id
changed for whatever reason. One solution I can think of is to have arefreshed_at
timestamp that will allow to invalidate the tokens say after a few months of non-use. Any other known tricks?Say I use a shared secret string in addition to the refresh token when refreshing access tokens, is my understanding correct that if all 3 are compromised (access token, refresh token and shared secret), there's nothing I can do about it? What are the best practices for the
refresh
API call?