Tools: .NET 6 with EF Core, Vue 3 with Axios.
R-Token is Refresh Token. DB is database.
I have simple implementation of JWT Refresh Token auth.
- Client send Login & Password.
- Check password hash in DB.
- If OK, generate JWT token (short lifetime, 1-5 min) and Refresh Token (long lifetime, 365 days) which save to DB.
- Client make requests with JWT.
- When Axios interceptor gets 401, then try to refresh tokens with generated below Refresh Token.
- Used Refresh token deletes from DB, if application cant find R-Token in DB it responses 403.