Is refreshing an expired JWT token a good strategy?
Refreshing a token is done to confirm with the authentication service that the holder of the token still has access rights. This is needed because validation of the token happens via cryptographic means, without the need to contact the authentication service. This makes the evaluation of the tokens more efficient, but makes it impossible to retract access rights for the life of a token.
Without frequent refreshing, it is very difficult to remove access rights once they've been granted to a token. If you make the lifetime of a token a week, you will likely need to implement another means to handle, for example, the deletion of a user account, changing of a password (or other event requiring relogin), and a change in access permissions for the user.
So stick with the frequent refresh intervals. Once every 15-minutes shouldn't be enough to hurt your authentication service's performance.
Edit 18 November 2019: Per @Rishabh Poddar
's comment, you should generate a new refresh token every time the old one is used. See this in-depth discussion of session management for details.
You should refresh the token every 15 minutes, but you don't need to let the user authenticate again to do so.
- After authenticating, hand out a JWT that is valid for 15 minutes.
- Let the client refresh the token whenever it is expired. If this is done within seven days, a new JWT can be obtained without re-authenticating.
- After a session is inactive for seven days, require authentication before handing out a new JWT token.
This way you can for example require authentication after a user changed their password.
You can get the access token configured for 7 days when the user authenticates. However it won't be the best practice security-wise because it would be harder to revoke access if needed. Of course it depends on your needs but the best practice is to also get the refresh token and user it to refresh the access token every period.