Best IT Recipes

Use Refesh token in token based authentication?

I am creating token based authentication (Node.js using passport / JWT with angular client).

After the user enters his credentials, he receives an access token, which he sends for each request inside the header (header: channeler TOKEN).

I do not want to request an entry request every time its access token expires (approximately every day, I think), I heard about Update tokens . The update current never expires (or rarely expires) and can update tokens indefinitely. When the access token expires, the client can send an update request to receive a new access token by sending an update token.

I understand a little, maybe something is missing:

  • How long-lived / never-expiring update tokens do not compromise the security of short-lived access tokens.

  • Cookies can be stolen and used before they expire. Tokens are short, so they are more secure, but if I provide the long-awaited update token, I lose the advantage of using tokens.

NOTE. I know that update tokens are sent at the initial login, so they cannot be tampered with in every request, but if they are tampered with at the initial request, they are vulnerable.

+4
security token access-token jwt
Dec 08 '14 at 13:27
source share
1 answer

the update token is presented on a different path than the access token: the access token is only ever displayed on the resource server, the update token is displayed only on the authorization server. The access token can be autonomous, so it does not need expensive calls on the authorization server to verify its validity, but to reduce losses and improve accuracy (it cannot be undone if something goes wrong), it is short-lived. The update current is durable and is checked every time it is called on the authorization server, and therefore it can be recalled. The combination of these two systems ensures system security.

+4
Dec 08 '14 at 13:50
source share


More articles:


All Articles