JWT tokens are not supposed to be long-lived, quite the opposite. They're designed to be short-lived with refresh capabilities.
Conceptually, the token would be refreshed in the server when a request is made. The server would check how long the JWT has left and if within a configured timeframe, would refresh and deliver it back to the client.
The client would need to be set-up to check for a new JWT on response and use that over the previous one.
Alright. So, If an existing jwt access token is about to be expired, it should be refreshed with a new one ON the server. Client can expect a refreshed token on any response and once received must replace the old token.
But, why do that? What's the point? How's that secure?
JWT tokens are not supposed to be long-lived, quite the opposite. They're designed to be short-lived with refresh capabilities.
Conceptually, the token would be refreshed in the server when a request is made. The server would check how long the JWT has left and if within a configured timeframe, would refresh and deliver it back to the client.
The client would need to be set-up to check for a new JWT on response and use that over the previous one.
Alright. So, If an existing jwt access token is about to be expired, it should be refreshed with a new one ON the server. Client can expect a refreshed token on any response and once received must replace the old token.
But, why do that? What's the point? How's that secure?
Can you also please point some articles?
Thanks.
The answers to those questions could be it's own article, so I'd urge you to do some research on the topic and come back with specific questions :)