Nowadays I am going to develop mobile app and think about auth for JWT.
I heard that protection skill for hijacking a access token is serving a refresh token.
But If the app uses HTTPS, token is never decoded in remote communication. because HTTPS encrypt Authentication in HTTP header.
Therefore, In case of using HTTPS, Only Serving a Access token is no problem. I think...
I am a newbie so missed logic or something could be. Could you plz answer this question?
Thank you.
CodePudding user response:
HTTPS is only a transport protection and that you should always use today, that's best practice.
You receive access tokens to access API's, so you send it to the API along the request to authenticate the user/client.
But at the same time, you want to have a time limit on how long an access token is valid, like 1 day, 1 hour or 2 minutes.
You are given as a client an extra token (the refresh token) that you can use to ask for new access tokens.
So, the two tokens have different purposes.