Refresh an expired token

[Nicuz]

Hi, I'm developing a mobile app and I use this plugin to generate my users' token. I have this scenario and I think that could be common to many other people: I want to keep the user logged in so I save the token for future use, if the user opens the app before the expiration date I can refresh the token and extends its life otherwise I have to automatically signing in again the user and this imply storing the password and that shouldn't happen. Another way could be setting a longer expiration time but again it's not safe and the user could not use the app for a long time so expired token again.

Wouldn't be better generating an access token and a refresh token so we can also use the last one to refresh an expired token? Thanks in advance.

[jonathan-dejong]

Hi @Nicuz

So what you'd want is the ability to create a new access token when it's expired. And that refresh token would ONLY be usable as an authentication to request a new access token.

Alright I can see the use for such a thing! In terms of security tho the very best thing would be to have the user login again if their token has expired.

For users that are active you could actually just refresh the token yourself for them using the refresh endpoint (https://github.com/jonathan-dejong/simple-jwt-authentication/wiki/Documentation#wp-jsonsimple-jwt-authenticationv1tokenrefresh) if the token is older than thus basically always keeping active users logged in. That alongside setting your own value for the life of the token using jwt_auth_expire hook (https://github.com/jonathan-dejong/simple-jwt-authentication/wiki/Documentation#jwt_auth_expire) would give you a pretty good outcome.

That being said, I do think there is a case for what you're asking for. However this is an Open Source plugin and I can't promise I can take time to develop it any time soon. I do love a good pull request tho! ;)