How to use a JWT Refresh Token to generate a new Access Token
I'm assuming that you have your own back-end to handle the refresh token process. Please tell me if this is not the case
What I did to this process is to move all decoding and encoding to the back-end. But you have to make sure that you store the latest active refresh token in the back-end. Otherwise, someone could reuse old token to create access token.
- In the front-end store the expiry date. Then, everytime you make a request to the back-end, check if the expiry date is not exceeded (probably you want to take into account delays of the request e.g. 5 seconds before expiry). If it's expired, fire the refresh-token method.
- Create a refresh token endpoint in the
back-end
and send bothaccess-token
andrefresh-token
to it - Decode the
access-token
and get your necessary data. Ignore expiry date in this decode function. - Compare
refresh-token
with the latestrefresh-token
in the db. If it doesn't match, the user is not authorized. Otherwise, continue. - Now if you want to reuse the old data, you don't need to query your database and just re-encode the
access-token
content to a new token. Otherwise, do your query and rebuild theaccess-token
.
Hope this helps