JWT Refresh Token

In this article, we are going to see about JSON Web Token which is shortly called JWT. In the current digital transformation, we are focusing to create multiple services to segregate and implement distributed architecture systems, so in real-world scenarios, a single application supposes to consume multiple services based on business use cases. On top of that, we are going to see the Refresh token which is used to maintain the user if the current token expired, otherwise the current token may expire after the default interval and the system supposes to redirect the user to the login page.

Here, we are focusing on,

• What is JWT 
• What is Refresh Token
• Structure of JWT
• Why do we need it
• Architecture 

What is JWT

JWT token is one which is an open standard methodology used to securely transmit from one system to another. In simple terms, we can say this is a kind of digital signature between parties. 

What is Refresh Token

The Refresh Token is working on top of the JWT token, Basically JWT token has a minimum expiration time limit, maybe 5 to 10 minutes, however, the refresh token has a long expiry time limit compared to JWT, Once the JWT token expires, the system will redirect the user to log in again, to avoid that, refresh token plays a vital role, to keep the current user authentication, refresh token will generate new token again to keep alive the session.

The refresh token supposes preserve in the database and in the case of the refresh token being compromised, we need to blacklist the token and generate it again. In this case, the user supposes to redirect to the login page and the client app needs to traverse from scratch to generate a new token. The recommended approach, try to apply a rotation policy on refresh tokens.

Structure of JWT

The JWT consists of three sections,

1. Header 
   1. Token Type
   2. Hashing Algorithm (eg., HS256)
2. Payload
   1. Claims ( eg., Issuer, Subject, Audience, Expiration Date, Issue at and etc., )
   2. Note: Claim should be minimal and avoid sensitive information.
3. Signature
   1. Encoding using Base64 (Payload + Header)
   2. Note: If any changes in Header and Payload, eventually signature will change. 

Why do we need it

In the current world, data is considered gold, so we need to keep the data secure as much as possible. We may host our application in private or public. Both are more vulnerable and if we didn't apply any digital security then ourself we are opening the door for our data comprise. Therefore, whenever we are connecting to system, it may be internal or external, try to apply digital security mechanism. 

JWT Architecture

I hope you got an idea about how JWT and refresh tokens work.