2

I would like to implement user login using JWT, but there is some confusion.

First, when the user successfully logs in, the server issues an Access Token and a Refresh Token. Then, The server sends the user information (id, name, grade) in the Access Token.

At this time, the Refresh Token is stored in the database along with the userId and is not delivered to the client.

The Access Token has a period of 7 days, and if client return within 3 days, authenticate the user through the existing Access Token.

If access token has been more than 3 days, server uses the user_id to query the Refresh Token stored in the database. At this time, if the Refresh Token is valid, server will try to reissue the 7-day Access Token.

I want to manage users in this way, is this correct?

I think the server should not pass the Refresh Token to the client.

I've read the following, but I do not know how to do it properly. Thank you for your advice.

hyundeock
  • 445
  • 1
  • 6
  • 15

1 Answers1

0

It sounds like you want to implement the full OAuth workflow for authentication. I'd advise you against the complexity unless your application really needs it. For a single API, it's alright if you issue a JWT token and pass it to the consumer, then the application will use this token in the requests and the server will authenticate the token.

However, if your application will be used by numerous devices (browser, mobile, Desktop, even other servers) and assuming you want extra security, then Oauth might pay off. In that case, you should give the refresh tokens to the user, and not auto-renew them. Otherwise, imagine someone steals someone else's (outdated) token... it will get auto-renewed! That person will gain access to the system on behalf of the other person.

I recommend you this package for working with express and Oauth: https://www.npmjs.com/package/express-oauth-server

clovis1122
  • 672
  • 8
  • 12
  • Thank you. but, I currently want to run both the api server and the authentication server in a single node.js application. The part you spoke to helped me understand. One ambiguity is that you do not store the refresh token in the database but instead provide it to the client? – hyundeock Jan 14 '19 at 00:27
  • Yes, that's because the `access token` expires. If you renew it everytime that it expires, you're risking to a security vulnerability where Hacker A that stole an expired token from person B will gain access to the system, as if he was person B. If this risk is alright for you, then there's nothing else that's wrong with what you're doing. – clovis1122 Jan 14 '19 at 02:16
  • thank you. Based on what you have said, let me look a little further. – hyundeock Jan 14 '19 at 03:52