I have a question, Isn't refresh token supposed to be another jwt token with longer expiry time?, In that case how would you update the redis db that has refresh jwt after it expires
Hey, it's a very good point!
The refresh tokens can be very long-lived JWTs but in this case you'll want to handle refresh token creation/expiration differently than I've mentioned above. Maybe you can create a logic something like that users need to post their expired refresh tokens with jwts. Than you check them both and verify that they belong to the same user and create another refresh token and jwt. Hopefully I could answer your question :)
1.store refreshToken=>token in redis db in server (if we can store in redis server will that cache remain alive till the refresh_token remains alive -like for 2-3 days or even a week)
2.whenever server recieves an expired token, it verfies the expired token from that mapping in no.1 and sends a new token to the client
3.I can store refreshToken in a cookie with better security like {sameSite} {httpOnly} {secured} and send it to server in every request from client
please correct me if this understanding is wrong, thank you
I have a question, Isn't refresh token supposed to be another jwt token with longer expiry time?, In that case how would you update the redis db that has refresh jwt after it expires
Hey, it's a very good point!
The refresh tokens can be very long-lived JWTs but in this case you'll want to handle refresh token creation/expiration differently than I've mentioned above. Maybe you can create a logic something like that users need to post their expired refresh tokens with jwts. Than you check them both and verify that they belong to the same user and create another refresh token and jwt. Hopefully I could answer your question :)
thank you for your response,
1.store refreshToken=>token in redis db in server (if we can store in redis server will that cache remain alive till the refresh_token remains alive -like for 2-3 days or even a week)
2.whenever server recieves an expired token, it verfies the expired token from that mapping in no.1 and sends a new token to the client
3.I can store refreshToken in a cookie with better security like {sameSite} {httpOnly} {secured} and send it to server in every request from client
please correct me if this understanding is wrong, thank you
If access and refresh tokens are gonna be saved to (Redis) DB, should they be hashed? I assume they should.