JWT Login expired - Automatically refresh token Introduction of the plan

Preface

In the scene of front and back separation , More and more projects use jwt token As the security mechanism of the interface , But there is jwt After expired , Users cannot directly perceive , If be in, ⽤ User operation page ⾯ period , Suddenly mention ⽰ Sign in , The experience is very unfriendly ,

So there it is token⾃ Dynamic refresh requirements . But this automatic refresh scheme , Basically, it is inseparable from the server-side state storage ,JWT The idea is ： Go to middle ⼼ turn ,⽆ State , So there is a violation of businesses like this , Yes ⾥ cloud ⾸ page , Didn't do token Refresh token maintenance , But it conforms to the corresponding idea

⽅ case ⼀、 Front end control detection token,⽆ Perceptual refresh

⽤ When the user logs in successfully ,⼀ Give him two times Token, Respectively AccessToken and RefreshToken

AccessToken The validity period is short ,⽐ Such as 1 Days or 5 God ,⽤ In normal request

RefreshToken The validity period can be set as long ⼀ some , for example 10 God 、20 God , As a refresh AccessToken Proof of

Refresh ⽅ case

When AccessToken When it's about to expire , For example, in advance 30 minute , Client benefits ⽤RefreshToken Request the specified API To obtain a new AccessToken And update the in the local storage AccessToken

nucleus ⼼ Logic

1. After successful login ,jwt⽣ become AccessToken; UUID⽣ become RefreshToken And stored on the server redis in , Set expiration time
2. Pick up ⼝ return 3 A field AccessToken/RefreshToken/ Access token expiration timestamp
3. because RefreshToken Store on the server redis in , If the RefreshToken It's overdue , Then mention ⽰ Log back in ;

doubt ：RefreshToken The validity period is so long , And direct AccessToken What is the difference between the extension of the validity period of

answer ：RefreshToken Unlike AccessToken It's like that ⼤ Most requests are made ⽤, Mainly local detection accessToken Only when it is about to expire ⽤,⼀ When storing locally , It's not called refreshToken, The front end can be aliased , The confused code makes the attacker unable to directly recognize this is the refresh token

shortcoming ：

The front end needs to judge every request token From expiration time

advantage ：

Low rear end pressure , Code logic changes no ⼤

⽅ case ⼆、 The back-end storage determines the expiration time

Back end storage AccessToken, Every time the request comes, we will judge whether it will expire , If it is about to expire, please re ⽣ Into a new token, And return to the front end for re storage ,⽐ Such as distance 1 Days or 30 Minutes expired , If ⽤ The user accesses the corresponding connection ⼝ It will be updated. , But if there is no access token If it has expired, you need to log in again

advantage ：

Front end changes ⼩, Just store the response http head ⾥⾯ Is there a new token production ⽣, If there is, store it again

shortcoming ：

Back end replication , And token It is easy to exist in a live state after leakage , And there will be concurrent requests on the front end , When multiple concurrent requests are received jwt token when , Easy to generate multiple token Chaotic use