I have created an api in PHP, using JWT. I have set 10 minute expiration time for tokens. How can I verify if user is still logged in after 10 minutes?
Like OAuth providing refresh token along with access token and using refresh token we can generate new access token. But I found that The JWT standard does not have any concept of a "refresh token" or "access token".
in one of git thread.
My JWTHandler function to create token:
public function jwtEncodeData($iss, $data)
{
$this->token = array(
//Adding the identifier to the token (who issue the token)
"iss" => $iss,
"aud" => $iss,
// Adding the current timestamp to the token, for identifying that when the token was issued.
"iat" => $this->issuedAt,
// Token expiration
"exp" => $this->expire,
// Payload
"data" => $data
);
$this->jwt = JWT::encode($this->token, $this->jwt_secrect, 'HS256');
return $this->jwt;
}
It is just returning token
, any way to create refresh token in JWT? Or I should create it with plain PHP which may contain user id
? So, if client receive Invalid token
error they can request new token with that user id
in refresh token.
CodePudding user response:
you need to look at the OpenID Connect (OIDC) protocol, which defines how refresh token, id token, & access token work together.
CodePudding user response:
I have set 10 minute expiration time for tokens. How can I verify if user is still logged in after 10 minutes?
Access tokens are disconnected from user sessions. The lifetime of an access token has nothing to do with a user's session. It seems to me that in your setup you should rather be using plain old sessions instead of access and refresh tokens.
But I found that The JWT standard does not have any concept of a "refresh token" or "access token". in one of git thread.
That is true because the JWT standard only tells you what a JSON Web Token should look like, how it can be signed for integrity protection (through the JWS standard), and how it can be encrypted for privacy (through the JWE standard). JWTs can be used for many different purposes, and access and refresh tokens are just one such purpose.
any way to create refresh token in JWT
JWT is not a framework that you can use to create refresh tokens automatically, consume them, etc. OAuth and OpenID Connect are standards that define how to deal with access and refresh tokens (what are the flows which allow you to issue those tokens, and how to properly refresh access tokens). You can have a look at the refresh grant from OAuth. It describes what you need. Basically, you need to issue another token (it may be a JWT) and send both to the client. When the client needs to refresh the access token, it sends the refresh token to a special endpoint and gets a new access token (if the refresh token is valid).
Again, in your case, I feel that implementing OAuth refresh flow will be a bit of an overkill, and I would definitely have a look at sessions.