jwt icon indicating copy to clipboard operation
jwt copied to clipboard

Published 20 hours ago verified publisher icon kataras

How to refresh jwt token?

Open daheige opened this issue 3 years ago • 3 comments

https://github.com/kataras/jwt#token-pair How to refresh jwt token? From this help document, it seems that I don't see how to use it. Can you give a specific http web demo or how to refresh the token.

daheige avatar Nov 02 '20 14:11 daheige

There is no example on refresh tokens in this repository because there are different strategies for that. If you see the README's References section's link you can follow some articles about it. Instead, we have a simple example at: https://github.com/kataras/iris/tree/jwt-new-features/_examples/auth/jwt/refresh-token.

In-short:

Sign access, refresh tokens and generate a pair which sent to the client

func generateTokenPair() jwt.TokenPair {
  // Simulate a user...
  userID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"

  refreshClaims := jwt.Claims{Subject: userID}

  accessClaims := UserClaims{
	ID:       userID,
	Username: "kataras",
  }

  accessToken, err := jwt.Sign(alg, secret, accessClaims, 5 * time.Minute)
  refreshToken, err := jwt.Sign(alg, secert, refreshClaims, 1 * time.Hour)

  tokenPair := jwt.NewTokenPair(accessToken, refreshToken)
  return tokenPair
}

Create a handler on /login and send the result of that token pair.

The refresh operation (there are other strategies though)

currentUserID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"
refreshToken := take from header...

verifiedToken, err := jwt.Verify(alg, secret, refreshToken, jwt.Expected{Subject: currentUserID})
if err != nil { /* send 401 */ }

tokenPair := generateTokenPair()
// ^ send this to the client

Create a handler on /refresh and send the result of that token pair.

Your client can fire 'silent' calls to the /refresh to renew its access token automatically.

kataras avatar Nov 02 '20 15:11 kataras

@daheige If you still need a native net/http example, just comment below and i will prepare you an http.Server, http.Client and a javascript client examples :) Keep note that the refresh strategy depends on your application requirements and it's better if you just google and get ideas from there instead, so you have the complete picture in your mind before decide what is better for you.

kataras avatar Nov 02 '20 15:11 kataras

Thank you very much. After reading what you said, there are indeed different refresh strategies. This depends on the business scenario. I will try these strategies you mentioned, and if there are other questions, I will consult you again.

daheige avatar Nov 03 '20 13:11 daheige