express-jwt icon indicating copy to clipboard operation
express-jwt copied to clipboard

Published 20 hours ago verified publisher icon auth0

How to support refresh tokens

Open chucksellick opened this issue 9 years ago • 11 comments

I've been trying to use your angular-jwt module with the express-jwt module to refresh expired tokens. However, the documentation for these two modules does not seem to match up or explain how they work with each other.

I've created an express route /api/auth/refresh where I am attempting to issue a new refreshed token, and I am calling this route from the 'delegated endpoint' feature of angular-jwt. But the following code throws a 'token expired' error and I'm therefore unable to continue and issue the refreshed token:

  // verify the existing token
  var profile = jwt.verify(req.body.token, secret);

I'm reporting this as an issue since the documentation (for both modules) should really explain how they are meant to interoperate, and the documentation here could cover how the refresh is intended to be implemented in Express.

chucksellick avatar Jan 16 '15 12:01 chucksellick

Same problem, It's not clear how to support refresh token with express-jwt.

letalumil avatar Mar 21 '15 18:03 letalumil

Receiving a "token expired" error when verifying a such one is the correct behaviour.

But you can "bypass" this, by doing :

jwt.verify(token, 'secret', function(err, decoded) {
    if (err) { // it should
        if (err.name == 'Error' && err.message == 'jwt expired') { // paranoid mode
            // if decoded payloads needed : old_payloads = jwt.decode(token);
            // now you can check user, permissions, .... and serve a new token 
            new_token = jwt.sign({ iss: old_payloads.iss}, 'secret', {expiresInMinutes: 60});
            res.json({token:new_token});
    }
 }

phiphou avatar Mar 23 '15 14:03 phiphou

Dealing with expired tokens seems to fall outside of the scope of JWT, and more into application and business logic. I would think the application should have logic to ask for a refresh token (basically issue a new token) in the background.

If you automatically issue a new token when you receive a request with an expired token, that defeats the built-in security of JWT with having tokens expire in the first place.

mikelax avatar May 12 '15 15:05 mikelax

@mikelax would you provide some demo code of how to implemment the refresh token. I am really want to a common solution for that.

CrisLi avatar Sep 01 '15 11:09 CrisLi

I would think it is better performance wise to have the server issue a new token automatically, rather than have the client submit yet another http request to renew the token (which gets done by the server anyway). and then resubmit the previous request.

Regarding security, your token refresh rules could be: *short expiry on all tokens (eg 5mins) *refresh token if expiry is not too old (eg less than 55mins) *check that other than expiry, old token is valid

If those are acceptable then reissue a token with the request, and allow it to complete normally.

At least that is what I would do.

samuel-gay avatar Nov 16 '15 04:11 samuel-gay

I agree with @mikelax . Refreshing access token is out of the scope of JWT. Check OAuth 2 Refresh token implementation: https://tools.ietf.org/html/rfc6749#section-1.5

visvk avatar Jan 05 '16 11:01 visvk

Claiming that token refresh is not within the domain of jwt implementations seems specious when this library supports token revocation. so +1

akotlar avatar Jan 18 '16 13:01 akotlar

+1

bestconsultant avatar May 23 '16 12:05 bestconsultant

+1

mitchellporter avatar Jul 24 '16 01:07 mitchellporter

Implemented this in https://github.com/sidjain26/koa-jsonwebtoken#refresh-token. Need feedback

f0rr0 avatar Sep 03 '16 11:09 f0rr0

Dealing with expired tokens seems to fall outside of the scope of JWT

~~Why not extend an interface like @f0rr0 did above and return a Promise? We can handle the business logic in the function opts.doRefresh~~

Edit: https://www.npmjs.com/package/jwt-autorefresh

timelf123 avatar Sep 27 '16 21:09 timelf123