I'm currently working on a project with expressjs. For user authorization I use JWT tokens but until now only access tokens, because I just don't understand them together with a real example. So can somebody explain to me what the steps are the authorization goes through when someone logs into his account.
f.E.:
- Refresh and Access Tokens get generated
- Token gets stored into database etc.
Thank you in advance and have a great day
CodePudding user response:
- User sends a POST request with login credentials
- Server authenticates and if successful, returns a JWT (usually in a httpOnly cookie). Server does not store JWTs in a database. The whole point of JWT is that authentication state is stored by the bearer of it.
- For subsequent requests to protected endpoints, client needs to attach JWT. Server should check if JWT is expired and whether it has been altered.
Extensions that you might want to think about:
- How to refresh JWTs:
There are different refreshing patterns that can be used. For example, you can check the expiry of the JWT every time that your server receives a request. If JWT is expiring soon, issue a fresh JWT. - How to maintain authentication state on client-side without having to log in every time you refresh the page
- How to really log a user out:
If you set the expiry as 30 minutes and a user logs out at the 15th minute mark, that JWT can technically still be used to access protected endpoints for another 15 minutes.