Get new token if curren token expired #256
Comments
|
I would set the token expiration to an arbitrarily long amount |
|
@ab320012 I think it is bad practice. In this case hacker will be able use stolen token long time until token expires |
|
Hi @ViTVetal, this is probably an answer you may not want to read but this is a complex question with no clear answer. JWT by itself does not solve that problem for you. It provides a token format that you can verify by a given rule set. You should look into OAuth which is based upon JWT. OAuth servers provide an refresh token after the initial authentication to give you an easy way to refresh short lived JWTs. IMHO the JWT expiration should be a short amount of time. At most days but preferable hours or minutes depending on the situation and many other factors. You may have a look at doorkeeper. https://github.com/doorkeeper-gem/doorkeeper Another way to use JWT in your app is to integrate OAuth providers like Google/Firebase, Facebook, Twitter, 0Auth, {insert your provider of choice here}, etc. |
|
An article you may want to read: https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3 |
|
@excpt Thank you! It is important for me to hear the answer from the owner of repository. I'll look at links |
I created rails project as api for iOS and Android apps. I want use jwt. I think that timeless tokens - it is bad approach. So if the token expires, the client needs to re-login, which is unacceptable UX in my case.
How should I get out of this situation? Should I save login and password and perfrom auto sign in if token expires? (I think it is bad approach too)
Does your library support something like refresh token?
The text was updated successfully, but these errors were encountered: