Refresh Token

GHAZALI_Abdesselam · August 17, 2024, 11:11am

Hi,

How can I renew the access token after it expires? It seems that I have to use RefreshToken to request a new one, but its content is empty.

Thank you,

wlandgraf · August 19, 2024, 12:14pm

You should just redirect user to login again to get a new access token.

Weetch_Russell · August 19, 2024, 12:56pm

Just to save me testing Where is the best place in a WebCore app to intercept this excpetion and is it a named exception?

wlandgraf · August 19, 2024, 1:25pm

Sorry, I'm not sure I understand the question...

GHAZALI_Abdesselam · August 21, 2024, 7:14pm

@wlandgraf
I'm not sure if this works as expected. I'm using TSphinxWebLogin. When I redirect to login again, we restart a new connection cycle with username/email and password and then restart application. This is far from practical, especially if the user is in the middle of a long work, and reach the time limit when posting data to server!
I thought that RefreshToken is made to renew the token smoothly.

Weetch_Russell · August 22, 2024, 11:21am

This is an issue. We have a site where the user can add things to a basket before logging in. When we get to the register/login then we have to save state and the restore after the login is successful. This is fine at the point where this happen.

In other apps there could be an amount of data that needs saving, but of course this can't be done to the database as the JWT has expired. So while it is simple enough to redirect to the login, this data will be lost unless we write a lot of save (and then restore, which will be conditional) code to the session/local store.

There are two things that would help:

be able to call for a token refresh so that the timeout can be extended, or
not have Sphinx unloading the underlying application

wlandgraf · August 22, 2024, 10:06pm

I personally never been too fond of refresh tokens. Here is why: jwt - Why is refresh token is more secure & why do we use refresh token if it can also be stolen? - Stack Overflow

So, in other words what's the different in using refresh tokens or using a long-lived access token?

GHAZALI_Abdesselam · September 19, 2024, 7:47pm

I had the idea to refresh the token regularly. But having thought about what you said, you are right.
Thank you very much.

system · September 20, 2024, 7:48pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.