Refresh Access Token Concept and Difference between Access Token and Refresh Token - Part 1 (Theoretical)
Access Token is a (JSON Web Token or JWT) string that contains necessary information to access a protected resource directly by checking whether the user is authenticated or not. Access Token has an Expiration Date and they are usually short-lived. Generally the default expiration time of an access token is 30 minutes.?
Refresh Token is a string that carries the information to create a new access token. In other words, when there is a need to create a new access token (ex: when the expiration time/date of access token is over but? to continue the simultaneous access to the resources as the user is not logged out yet ), refresh token helps to create a new access token by the help of authentication server.
Why Do We Need Refresh Token:?
领英推荐
Generally in most of the cases, We often increase the authentication expiration date/time to cover up the automatic log out issue when the user actually did not want to log out from the system. But the main/key concern? is, if we increase the authentication expiration for a long period of time, maybe a hacker can steal the token and misuse it and it will allow the hacker to get the whole protected system access for that period of time and he/she can do anything. So, to get remedy from this type of situation, refresh token helps to create a new access token to generate after a period of time and it makes the system more secure.
Implementation Concept and other Guidelines:?
To make the system more secure, we can set a short lifetime for an access token and along with that we can generate a refresh token from the login request. We can take the access token and? refresh token to the UserLogin Control table and ? Whenever the access token expires,? We can generate a new access token and update both access and refresh token and it will help to have the protected resource access without facing any issue and the system will be more secure.?
Implementational Example:?