JSON Web Tokens - jwt

Thu, 26 Nov 2020 00:00:00 +0000

References

The flow of the authentication process is:

User logs in using their credentials. On a successful login, the server issues an access token which is valid for a certain period of time (say 10 minutes) and a refresh token with a longer lifetime (say 24 hours for apps dealing with sensitive data. Simpler apps can have for days or even months). The client (frontend) stores refresh token in local storage (not database) and access token in cookies.
On every request to a protected resource, the access token must be provided in the request as a header.
When the access token expires after the stipulated time (10 minutes in our case), the client side app sends a request to generate a new access token, using the refresh token. This continues throughout the lifetime of the refresh token.
Once the refresh token is expired, the user will be logged out and needs to log in again.

5 modules associated with the authentication process are: