Is refreshing an expired JWT token a good strategy?

  • If I understand best practices, JWT usually has an expiration date that is short-lived (~ 15 minutes). So if I don't want my user to log in every 15 minutes, I should refresh my token every 15 minutes.

    I need to maintain a valid session for 7 days (UX point of view), so I have two solutions:

    • use long-lived json web token (1 week)--bad practice?
    • getting a new json web token after the old one expires (JWT 15min, refresh allowed during 1 week)

    I'm forcing the use of HTTPS.

    The JWT standard doesn't speak about refreshing tokens. Is refreshing an expired token a good strategy?

  • Refreshing a token is done to confirm with the authentication service that the holder of the token still has access rights. This is needed because validation of the token happens via cryptographic means, without the need to contact the authentication service. This makes the evaluation of the tokens more efficient, but makes it impossible to retract access rights for the life of a token.

    Without frequent refreshing, it is very difficult to remove access rights once they've been granted to a token. If you make the lifetime of a token a week, you will likely need to implement another means to handle, for example, the deletion of a user account, changing of a password (or other event requiring relogin), and a change in access permissions for the user.

    So stick with the frequent refresh intervals. Once every 15-minutes shouldn't be enough to hurt your authentication service's performance.

    Edit 18 November 2019: Per @Rishabh Poddar's comment, you should generate a new refresh token every time the old one is used. See this in-depth discussion of session management for details.

    so I can refresh an expired token ? why people recommend not to ?

    ping @neil-smithline

    Without a reference, it is hard to understand why something was recommended. Do you have references? The point of refresh token is to alllow revocation of access rights without hitting the authentication service too frequently. You can refresh the token (which does an access check) without needing to reauthenticate.

    Ok so refresh tokens can also expire but are long-lived. They are only used to do revocation of access rights. So those token can be used to refresh an expired token.

    And when the refresh token expires, reauthentication is required.

    what if user closes the app for 30 minutes? how to fetch new token every 15 min when app is not running?

    @AliSherafat - as long as the refresh token is saved and still valid, then the app can get a new access token. If the refresh token is expired, then the user has been logged out due to being idle and will need to login again.

    Got it but Does refresh token should be updated? If i set its lifetime to 1 day an user is still using the app i have to log them out? Or expand the lifetime of refresh token while using?

    @AliSherafat I don't think that there is a standard way to update the refresh token. When both access and refresh tokens expire, the user is logged out. If your refresh token has a 24 hour TTL, then your website or service requires reauthentication once a day. That's pretty common.

    It's not recommended to refresh an expired JWT token. They are meant to expire for security purposes and I don't even believe it is possible to refresh and expired JWT token based on how I know that they generated. A new token should be generated per action, and each JWT claim should contain a unique identifier to track the API calls.

    To add a bit more information: The ideal method according to RFC 6819 is to keep changing refresh tokens when they are used - this provides the maximum amount of security as demonstrated in this 2-part blog post.

    Thanks @RishabhPoddar - I updated the post.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM