7

I am implementing JWT in one of my node apps. I am wondering, if there is any definite format/ structure in which a refresh token should be generated?

By definite format I mean whether a refresh token contain any claims like a JWT?

UPDATE

Let's assume a refresh token to be: fdb8fdbecf1d03ce5e6125c067733c0d51de209c (taken from Auth0). Now, what am I supposed to understand from this?

  • Is this a random unique string?
  • Is this an encrypted string which has claims inside?
Ayan
  • 2,414
  • 2
  • 31
  • 66
  • Possible duplicate of [JWT (JSON Web Token) automatic prolongation of expiration](https://stackoverflow.com/questions/26739167/jwt-json-web-token-automatic-prolongation-of-expiration) – Murtaza Hussain May 14 '19 at 14:43
  • 2
    @MurtazaHussain I guess not, as the the link you posted talks about prolonging the JWT, whereas I am asking about the format of refresh tokens. I guess there is a difference in my question to the one you linked above. – Ayan May 14 '19 at 14:49
  • https://auth0.com/learn/refresh-tokens/ – Chris White May 14 '19 at 14:55
  • 1
    @ChrisWhite, I have gone through this article and many others. But my question is, does a refresh token have any format? For ex: `fdb8fdbecf1d03ce5e6125c067733c0d51de209c` taken from the article you posted, I can either assume that this a random string or it has some data encrypted. So now my point is what should I assume? – Ayan May 14 '19 at 15:01
  • It appears to be a random token generated by the JWT auth provider. See here for an example of implementation: https://solidgeargroup.com/refresh-token-with-jwt-authentication-node-js – Chris White May 14 '19 at 17:48
  • 1
    @ChrisWhite Ok. I have gone through the article and currently have implemented something of that sort using node crypto module. It's confusing as there is no proper documentation on how a refresh token should be generated. Its totally on assumption or requirement I guess. – Ayan May 15 '19 at 08:19
  • @ChrisWhite looks like the solidgeargroup.com link is no longer valid. – schmiddy98 Apr 18 '22 at 16:32

1 Answers1

22

Short answer

  • A refresh-token is just a random string.
  • All the user-related information including claims go in access-tokens

Explanation

You should keep something like this:

{
  _id: [refreshTokenId],
  value: 'fdb8fdbecf1d03ce5e6125c067733c0d51de209c',
  userId: [userId],
  expires: [some date],
  createdByIp: [some ip],
  createdAt: [some date],
  replacedBy: [anotherRefreshTokenId],
  revokedByIp: [some other ip],
  revokedBy: [some other date],
}

Refresh tokens are random strings generated by the authentication server. They are generated after successful authentication (for example, if the username and password of the user are valid).

Their sole purpose is to remove the need to exchange user credentials repeatedly. They are different from access-tokens.
An access-token usually has information about the user (like name, claims). These are usually short-lived. JWT is one example.

To get a JWT the app has to verify the credentials.
To add additional security, and to stop bothering the user for username and password every 15 mins, we just create a signature on the server-side and forward it to the app.
Next time, whenever the app needs to create a JWT, it can just send the signature back to the server. This signature is your refresh token.
Refresh tokens are also supposed to be saved somewhere.
So you would probably create a table/collection in your database, linking the refresh-token values with userIds and ip_address.
This is how you could create a session management panel for the user. The user can then view all the devices (ip_addresses) for which we have registered a refreshtoken.

Akshay Kumar
  • 627
  • 8
  • 25
  • 2
    Thanks. I was looking for an answer like this. – John Harris Dec 22 '21 at 05:45
  • 2
    why the refresh token did not user jwt? if just a random string, how to set the expire of the token? or never expire? how about use jwt with refresh token? @Akshay Kumar – Dolphin Mar 15 '22 at 04:28
  • 1
    @Dolphin Refresh tokens need not hold any info. So about setting the expiry, you could do that in your db. – Ayan Mar 15 '22 at 15:58
  • 2
    Refresh token is just a server generated random gibberish, saved in a DB record with a user id, an expiration timestamp, and a status (active/expired/replaced/what-have-you). When a session expires, the server only needs 2 things to issue a new access-token (with the user info), the random gibberish, and the userId. The server then issues an accessToken if it finds a DB record matching the gibberish:userId pair and with the status active. I hope this clarified things. @Dolphin – Akshay Kumar Mar 15 '22 at 18:52
  • 1
    Yes,it is clarified.I figure out how to handle the refresh token.@Akshay Kumar – Dolphin Mar 16 '22 at 02:41