Can a user have multiple refresh tokens?

The access token can, and in most cases have, a limited life-span. If an access token is expired you will receive an error and you need to request a new access token with your refreshtoken. In some cases you will also get a new refresh token additional to your access token to request the next accesstoken.

Should I refresh token on every request?

No, you don’t need to refresh the token on each request. But you definitely want your JWTs to expire at some point. This is to protect you from JWT theft where malicious user could use stolen access token to gain access to target resource indefinitely.

What is refresh token used for?

A refresh token is a special token that is used to obtain additional access tokens. This allows you to have short-lived access tokens without having to collect credentials every time one expires.

Are refresh tokens bad?

Hence Single Page Apps (SPA) should not store a refresh token – a refresh token is particularly problematic, because it is long lived (long expiration or no expiration), and if stolen then an attacker can continue to refresh access tokens after each individually expires.

Is refresh token a JWT?

js of JWT with refresh token: In this case they use a uid and it’s not a JWT. When they refresh the token they send the refresh token and the user. If you implement it as a JWT, you don’t need to send the user, because it be would inside the JWT.

How long is refresh token valid?

The Refresh token has a sliding window that is valid for 14 days and refresh token’s validity is for 90 days.

What should happen when refresh token expires?

The member must reauthorize your application when refresh tokens expire. When you use a refresh token to generate a new access token, the lifespan or Time To Live (TTL) of the refresh token remains the same as specified in the initial OAuth flow (365 days), and the new access token has a new TTL of 60 days.

Are refresh tokens more secure?

It allows the authorization and resource server separation, too. This is only more secure if we assume the authorization server is somehow better secured as the resource server. If this is not the case it is actually less secure. It the refresh token is compromised I can just use that to get a new access token.

What is JWT token and refresh token?

The JWT is used for accessing secure routes on the API and the refresh token is used for generating new JWT access tokens when (or just before) they expire.

Is JWT the same as OAuth?

Basically, JWT is a token format. OAuth is an standardised authorization protocol that can use JWT as a token. OAuth uses server-side and client-side storage. If you want to do real logout you must go with OAuth2.

What if refresh token is stolen?

If the refresh token can be stolen, then so can the access token. With such an access token, the attacker can start making API calls. To make matters even more complicated, access tokens are often self-contained JWT tokens. Such tokens contain all the information needed for the API to make security decisions.

How do I know if my refresh token is valid?

This can be done using the following steps:

convert expires_in to an expire time (epoch, RFC-3339/ISO-8601 datetime, etc.)
store the expire time.
on each resource request, check the current time against the expire time and make a token refresh request before the resource request if the access_token has expired.

What is the difference between refresh token and access token?

Access tokens usually have an expiration date and are short-lived. Refresh tokens carry the information necessary to get a new access token. In other words, whenever an access token is required to access a specific resource, a client may use a refresh token to get a new access token issued by the authentication server.

How to get the access token for two resources at once?

Then using refresh tokenyou just got, you make another call to token endpoint (REST or ADAL AcquireTokenSilent so that there isn’t a popup to ask for user credentials this second time) and get a token for the second resource by specifying the 2nd resource id in case of this call The access tokenyou get this time is valid for the 2nd resource.

What is refresh token in Adal?

The ADAL library supports acquiring multiple access-Tokens for multiple resources using a refresh token. This means once a user is authenticated, the ADAL’s authentication context, would be able to generate an access-token to multiple resources without authenticating the user again.

How do I set a refresh token for a grant?

Set the refresh token parameter to the value of the refresh token retrieved in the previous step, and the grant type set to refresh_token. If you registered a web application, include the client_secret parameter and set it to the value provisioned in Register an application.