How to properly handle a JWT refresh?

前端 未结 1 1611
隐瞒了意图╮
隐瞒了意图╮ 2021-02-14 08:14

I have an android app. It connects with a REST API developed with Jersey. My REST End points are secured with Tokens. Below is how I generate them.

1条回答
  •  谎友^
    谎友^ (楼主)
    2021-02-14 08:48

    1. How can I figure out whether the token has to be renewed? I thought I should do that after it is expired, but seems that is not the case. If I ask it to refresh in now

    You need to refresh the token before it is expired. Decide your policy:

    • issue a fresh token in every request

    • issue a fresh token when the current one is close to expire. e.g. 10 min

    • let client app request a new token when it needs it using a "refresh service" of your api. For example


    @GET
    @Path("/jwt/refresh")
    @Produces(MediaType.TEXT_HTML)
    public String refresh(){
        //Build a returns a fresh JWT to client 
    }
    
    1. How can I assign and send this token back to the user?

    If you issue a fresh token during a request, you can return it in a special header that client will read during processing of the response. If you publish a "refresh" service as described above, then the client will call it independently when the current JWT is close to expire

    Redirect to login method is not a good alternative because you will lose the current request

    1. How do I actually refresh using java-jwt

    Just issue a new token

    0 讨论(0)
提交回复
热议问题