AngularJS or SPA with JWT - expiry and refresh

Question

I understand the flow of JWT and a single page application in terms of login and JWT issuance. However, if the JWT has a baked in expiry, AND the server isn\'t issuing a new JW

Answer 1

I think for my implementation I'm going to go with, after a bit of search, is...

Use case:

• JWT is only valid for 15 minutes
• User session will timeout after 1 hour of inactivity

Flow:

1. User logs in and is issued a JWT

   1. JWT has a 15 minute expiration with claim 'exp'
   2. JWT JTI is recorded in db has a session of 1 hour

2. After a JWT expires (after 15 min):

   1. Current expired JWT will be used @ a /refresh URI to exchange for a new one. The expired JWT will only work at the refresh endpoint. IE API calls will not accept an expired JWT. Also the refresh endpoint will not accept unexpired JWT's.
   2. JTI will be checked to see if its been revoked
   3. JTI will be checked to see if its still within 1 hour
   4. JTI session will be deleted from DB
   5. New JWT will be issued and new JTI entry will be added to the db

3. If a user logs out:

   1. JWT is deleted from client
   2. JTI is deleted from db so JWT cannot be refreshed

With that said, there will be database calls every 15 minutes to check a JTI is valid. The sliding session will be extended on the DB that tracks the JWT's JTI. If the JTI is expired then the entry is removed thus forcing the user to reauth.

This does expose a vulnerability that a token is active for 15 minutes. However, without tracking state every API request I'm not sure how else to do it.