DEV Community

Sumit Wadhwa
Sumit Wadhwa

Posted on

How to know if oauth2.0 authentication setup might be an overkill?

So, I'm assigned with a task to create APIs for an Instagram-like application. And, Laravel is the framework that we decided to go with. I'm setting up authentication and the last time I did it, it was just with long-lived access tokens (jwt). You know like once users authenticate they're issued a long-lived access tokens which they provide on every subsequent requests. In fact, I'm thinking about doing this again.

But, I've recently learned that long-lived access tokens are bad. They can be stolen and misused. Short-lived access tokens must be used and should be renewed by a refresh token.

So, how do I introduce this "refresh token" into this client-server stateless architecture?

Kindly share your experience.

Thank you.

Discussion (3)

Collapse
devdrake0 profile image
Si

JWT tokens are not supposed to be long-lived, quite the opposite. They're designed to be short-lived with refresh capabilities.

Conceptually, the token would be refreshed in the server when a request is made. The server would check how long the JWT has left and if within a configured timeframe, would refresh and deliver it back to the client.

The client would need to be set-up to check for a new JWT on response and use that over the previous one.

Collapse
chandlerbing016 profile image
Sumit Wadhwa Author

Alright. So, If an existing jwt access token is about to be expired, it should be refreshed with a new one ON the server. Client can expect a refreshed token on any response and once received must replace the old token.

But, why do that? What's the point? How's that secure?

Can you also please point some articles?

Thanks.

Collapse
devdrake0 profile image
Si

The answers to those questions could be it's own article, so I'd urge you to do some research on the topic and come back with specific questions :)