How to keep user logged in once token get expired?

Question

I have created an api in PHP, using JWT. I have set 10 minute expiration time for tokens. How can I verify if user is still logged in after 10 minutes?

Like OAuth providing refresh token along with access token and using refresh token we can generate new access token. But I found that The JWT standard does not have any concept of a "refresh token" or "access token". in one of git thread.

My JWTHandler function to create token:

public function jwtEncodeData($iss, $data)
{

    $this->token = array(
        //Adding the identifier to the token (who issue the token)
        "iss" => $iss,
        "aud" => $iss,
        // Adding the current timestamp to the token, for identifying that when the token was issued.
        "iat" => $this->issuedAt,
        // Token expiration
        "exp" => $this->expire,
        // Payload
        "data" => $data
    );

    $this->jwt = JWT::encode($this->token, $this->jwt_secrect, 'HS256');
    return $this->jwt;
}

It is just returning token, any way to create refresh token in JWT? Or I should create it with plain PHP which may contain user id? So, if client receive Invalid token error they can request new token with that user id in refresh token.

Updated: I have found here Before making any API call, the mobile app checks if the token is about to expire (with the help of the stored values). If the token is about to expire, the app sends the refresh token which instructs the server to generate a new access token but my mobile app(android) developer saying that they have never checked if token valid or not in their past experience. How does it should actually carried out? If I check token is valid or not in API and than create new token if not valid previous one, than I need to send new generated token to mobile app in response? And mobile app needs to check each API response if token is there in response?

Answer 1

I have set 10 minute expiration time for tokens. How can I verify if user is still logged in after 10 minutes?

Access tokens are disconnected from user sessions. The lifetime of an access token has nothing to do with a user's session. It seems to me that in your setup you should rather be using plain old sessions instead of access and refresh tokens.

But I found that The JWT standard does not have any concept of a "refresh token" or "access token". in one of git thread.

That is true because the JWT standard only tells you what a JSON Web Token should look like, how it can be signed for integrity protection (through the JWS standard), and how it can be encrypted for privacy (through the JWE standard). JWTs can be used for many different purposes, and access and refresh tokens are just one such purpose.

any way to create refresh token in JWT

JWT is not a framework that you can use to create refresh tokens automatically, consume them, etc. OAuth and OpenID Connect are standards that define how to deal with access and refresh tokens (what are the flows which allow you to issue those tokens, and how to properly refresh access tokens). You can have a look at the refresh grant from OAuth. It describes what you need. Basically, you need to issue another token (it may be a JWT) and send both to the client. When the client needs to refresh the access token, it sends the refresh token to a special endpoint and gets a new access token (if the refresh token is valid).

Again, in your case, I feel that implementing OAuth refresh flow will be a bit of an overkill, and I would definitely have a look at sessions.

How does it should actually carried out? If I check token is valid or not in API and than create new token if not valid previous one, than I need to send new generated token to mobile app in response? And mobile app needs to check each API response if token is there in response?

It's not exactly accurate. You should validate the token in your API. If the token is expired (or invalid for other reasons), the API should respond with a 401 response. This is a sign to the mobile app that the token is no longer valid and that it needs a new one. If the app has a refresh token, then it can use that token to get a new access token. The mobile app can now call your API again, with a new access token. If the app doesn't have access to a refresh token, or if the refresh token is expired, then the app should ask the user to log in again.

Answer 2

you need to look at the OpenID Connect (OIDC) protocol, which defines how refresh token, id token, & access token work together.