The JWT expiration time is only 1 hour, so if a user remains idle for more than 1 hour, they will be logged out with ✨ JWT Invalidation on user logout Needs work . To keep users logged in, we must extend the JWT validity, for example, to 30 days. However, this approach poses security risks because if the JWT is compromised during those 30 days, it can be used to access any part of the site the user has access to. This is why we need a refresh token, which serves the purpose of establishing a JWT renewal mechanism, while keeping the JWT authorization period short to enhance security.
When a request is made to the JWT Auth Issuer route (jwt/token) and the JWT is found to have expired, a new JWT is generated via the refresh token. The refresh token’s expiration time can be 30 days or even longer, such as a year, without posing a security risk. This is because the refresh token can only be used for renewing the JWT and does not grant direct access to other functionalities.
Active
2.0
Code
I ended up implementing a token refresh workflow using the session cookie as the refresh token.
It has some benefits, such as