Security with JSON Web Token
- Client --> POST /login, username/password --> Application
- Authentication process (verifies credentials are correct)
- Client <-- Json Web Token(JWT) <-- Application
- Client(JWT) --> GET /users, JWT --> Application
- Application checks JWT if it is valid or it has permission to access
accessToken : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMTExIiwicm9sZXMiOlsiUk9MRV9BRE1JTiIsIlJPTEVfVVNFUiJdLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvbG9naW4iLCJleHAiOjE2NTkyNjAxNDN9.sQx7Oiu8tjfobvwBTsjkGA-2MVD2mn-M8MKf4qI8Y4I
refreshToken : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMTExIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2xvZ2luIiwiZXhwIjoxNjU5MjYxMzQzfQ.iuYj8NwGWzBRgmizD8eJG8StAjPi-_wd3d1AmP4A0Ds
Scenario
- Login
- Get accessToken, refreshToken
- Front-end developer will save tokens somewhere on the client
- When I need to access any resource, i will send accessToken
- When accessToken expires, front-end will look for the refreshToken
- Send another request immediately with refreshToken (same authorization header starting with "Bearer ")