Let's say we have the following scenario: A user login with correct credentials and he gets a token with expiration date. After some time (lets say 30 minutes) the token is expired and the user has to give again his credentials to be authorized. Our Goal is to not force the user give his username and password again.
How would you handle this problem? 🎉
you should be able to pass previous token to refresh token route and get a new token without user interacting with. What I usually do is, I store retrieved access_token and create a timestamp 30 seconds before it expires in session storage. Since all my requests require valid access token, before sending each request I check timestamp to see if the token is already expired. if so then I will send a request to refresh token request to get a new token with old token. once I receive the new token replace the old stored values with new ones and continue actual request. If refresh token fails then I redirect user to login page since user's session is already timed out and token is no longer valid.
You can use a Refresh Token.
Refresh tokens carry the information necessary to get a new access token. In other words, whenever an access token is required to access a specific resource, a client may use a refresh token to get a new access token issued by the authentication server. Common use cases include getting new access tokens after old ones have expired, or getting access to a new resource for the first time. Refresh tokens can also expire but are rather long-lived. Refresh tokens are usually subject to strict storage requirements to ensure they are not leaked. They can also be blacklisted by the authorization server.
NikosDev
Web Engineer
What happens if a hacker steal your refresh token? He has access to your account "forever"?