So, I'm assigned with a task to create APIs for an Instagram-like application. And, Laravel is the framework that we decided to go with. I'm setting up authentication and the last time I did it, it was just with long-lived access tokens (jwt). You know like once users authenticate they're issued a long-lived access tokens which they provide on every subsequent requests. In fact, I'm thinking about doing this again.
But, I've recently learned that long-lived access tokens are bad. They can be stolen and misused. Short-lived access tokens must be used and should be renewed by a refresh token.
So, how do I introduce this "refresh token" into this client-server stateless architecture?
Kindly share your experience.
Top comments (3)
JWT tokens are not supposed to be long-lived, quite the opposite. They're designed to be short-lived with refresh capabilities.
Conceptually, the token would be refreshed in the server when a request is made. The server would check how long the JWT has left and if within a configured timeframe, would refresh and deliver it back to the client.
The client would need to be set-up to check for a new JWT on response and use that over the previous one.
Alright. So, If an existing jwt access token is about to be expired, it should be refreshed with a new one ON the server. Client can expect a refreshed token on any response and once received must replace the old token.
But, why do that? What's the point? How's that secure?
Can you also please point some articles?
The answers to those questions could be it's own article, so I'd urge you to do some research on the topic and come back with specific questions :)