Home > Software engineering >  JWT, refresh token flow on mobile apps
JWT, refresh token flow on mobile apps

Time:12-18

const router = express.Router();

router.post('/refresh', ...{})

The access token expiration period is 7 days and the refresh token expiration period is 30 days. If 7 days have elapsed, it notifies the mobile app client that it has passed, and the client sends a refresh token to the server to check if the refresh token is valid, and immediately receives a new access token for 7 days and a refresh token for 30 days. It's all right here, right?

But what about after 30 days?? What if the user doesn't log in for 30 days? The refresh token will also expire. And I want to keep sign in forever. (This is the for mobile app, so re sign in is not good for user experience) I don't know what to do at this time.

CodePudding user response:

You have a few options depending on the intended functionality and security requirements of your application.

  1. Change expiry period of one or both tokens, possibly make refresh token infinite to maintain some security
  2. Is background refresh an option you can consider? If this can be completed without the user having opened the app it will work well for you.
  3. Store user credentials and re-login (either automatically or manually) if re-accessing after the refresh token has expired.
  • Related