0
votes

Let's say after successfully log in we are passing user short-lived access token (15 minutes) and long-lived refresh token (7 days).

On day 7 user is in the middle of some business logic in our app and his refresh token expires. So if refresh token expires he will be logged out during making some business in our app.

So how to avoid that situation? Should we renew somehow refresh tokens?

1

1 Answers

0
votes

Session expiry is standard behaviour that you need to code for, since refresh tokens cannot and should not last forever.

This scenario is common in work setups if the user leaves their browser running overnight and then returns to the app the next morning. The logic typically involves the following steps:

  • Token refresh returns an error with an error code of 'invalid_grant' which the app can check for
  • The app then must redirect the user to re-authenticate, after which they can carry on with their work
  • Before the redirect the app stores the user's app location and current page state, eg in session storage
  • After the redirect the app restores the location and page state

This works even if the user is in the middle of submitting a form. The one caveat is that you should of course not save high security fields such as a credit card number in UI storage - so the user would need to re-enter such values after returning from login.

You can implement this quite easily, as in this sample code of mine, which may give you some ideas for your own solution.