How to automatically renew a token after it expires?

Recommended today

 Reduce  try-catch , This is grace ！

 An addictive new generation of development artifacts , Say goodbye to Controller、Service、Dao Other methods 

SpringBoot Realize face recognition function 

 believe me , Use  Stream  Can really make the code more elegant ！

 The most detailed thread pool in the whole network  ThreadPoolExecutor  Reading ！

 Batch splitting with multithreading  List  Import database , Efficiency bars ！

JWT token Of payload Part of it is a json strand , Is a set of declarations to pass data , These statements are JWT The standard is called claims.

JWT The standard defined in the standard claim Include ：

• iss(Issuser)：JWT The issuing subject of ;

• sub(Subject)：JWT Owner ;

• aud(Audience)：JWT The recipient of ;

• exp(Expiration time)：JWT The expiration time of ;

• nbf(Not Before)：JWT Effective start time of ;

• iat(Issued at)：JWT Issued on ;

• jti(JWT ID)： yes JWT Unique identification of .

In addition to the above standard statement , We can also customize the declaration . With com.auth0 For example , The following code snippet implements the generation of a with expiration time token.

String token = JWT.create()
    .withIssuer(ISSUER)
    .withIssuedAt(new Date(currentTime))//  The issuance of time 
    .withExpiresAt(new Date(currentTime + EXPIRES_IN * 1000 * 60))//  Expiration time stamp 
    .withClaim("username", username)// Custom parameters 
    .sign(Algorithm.HMAC256(user.getPassword()));

among ：

• withIssuer() Set the issuing entity ;

• withIssuedAt() Set issuing time ;

• withExpiresAt() Set expiration time stamp , The expiration time is EXPIRES_IN （ Unit second ）;

• withClaim() Set custom parameters .

JWT After setting the expiration time , It must be more than , Then the interface cannot be accessed , The user needs to log in again to get token. If you often need users to log in again , Obviously, this experience is not very good , Therefore, many applications will adopt token The scheme of automatic renewal after expiration , Only under certain conditions will users be allowed to log in again .

token Expired renewal scheme

solve token There are many different solutions to the expired renewal problem , Here are some representative examples . First, let's look at a list token programme , This scheme can be realized in addition to token Beyond renewal , It can also realize forced re login under some conditions .

single token programme

• take token The expiration time is set to 15 minute ;

• The front end initiates a request , Back-end verification token Is it overdue ; If expired , The front end initiates a refresh token request , The back end returns a new... For the front end token;

• The front end is new token Initiate request , The request is successful ;

• If you want to achieve 72 Hours , You must log in again , The back-end needs to record the login time of each user ; Every time a user requests , Check the last login date of the user , Exceed 72 Hours , Then refuse to refresh token Request , request was aborted , Go to the login page .

In addition, the back-end can also refresh records token The number of times , For example, refresh at most 50 Time , If it reaches 50 Time , Refresh is no longer allowed , User reauthorization required .

The list introduced above token The principle of the scheme is relatively simple . Now let's look at a double token programme .

double token programme

• After successful login , Backend return access_token and refresh_token, The client caches these two types of data token;

• Use access_token Request interface resources , Successful call ; If token Overtime , The client carries refresh_token call token Refresh interface to get new data access_token;

• The backend accepts the refresh token After request , Check refresh_token Is it overdue . If expired , Refuse to refresh , After the client receives the status , Go to the landing page ; If not expired , Generate a new access_token Return to the client .

• The client carries new access_token Call the above resource interface again .

• After the client logs out or changes the password , Write off old token, send access_token and refresh_token invalid , At the same time, clear the client access_token and refresh_toke.

Wechat website authorization is through OAuth2.0 Realized by mechanism , Double... Is also used token programme .

Wechat web page authorization scheme

• After the user completes wechat authorization on the web page of the third-party application , Third party applications can obtain code（ Authorization code ）.code The timeout for is 10 minute , One code You can only exchange success for access_token I.e. failure .

• Third party applications through code Get web authorization credentials access_token And refresh credentials refresh_token.

• access_token Is the calling voucher for calling the authorization relationship interface , because access_token The period of validity （2 Hours ） Shorter , When access_token After a timeout , have access to refresh_token refresh .

• refresh_token Has a long validity period （30 God ）, When refresh_token After failure , User reauthorization required .

The backend implementation token Expired can also be used Redis To store token, Set up redis Expiration time of key value pair . If you find that redis Does not exist in the token The record of , explain token It's overdue .

source ：toutiao.com/article/6995179162675790350

Last , Recommend a planet of my knowledge , Join now , front 100 name , It only needs  25 element that will do , Very favorable .