Android refresh token

android authentication refresh token jwt
16,752

I think it's better to use both token and refresh token, so you don't always have to send your credentials when your access token is expired. Moreover it's not safe to store users credentials on a client device, you should store this informations on your server and ask the user to type it when needed.

Here how I implement the token/refresh token process :

1 : You send your credentials to your authentification server ( it will send you back an access token (I use the JSON web token type wich is not stored in database) and a refresh token ( that is stored in the database).

2 : When you make a request to your server you check if the access token is expired, if it is so, you make a request to your authentification server with the refresh token in paramter in order to have a new access token ( depending on the configuration of your server it could give you back whether a new access token , or a new pair of access token and refresh token which I prefer ).

3: If the refresh token is expired you make a request with your credentials to have a new pair of tokens.

Share:
16,752
Lic
Author by

Lic

Updated on June 04, 2022

Comments

  • Lic
    Lic almost 2 years

    I'm developing an Android app and I'm a little confused regarding token and refresh token. Basically now, after user login with mobile number and a code sent by SMS, the authentication server returns an access token that will be used for accessing to all apis. For the authentication server, I've used Laravel with jwt-auth library. When the access token will expired I will ask a new one using the credential of user stored in the AccountManager. Is it the correct way to implement this authentication?

    Or I'm missing the refresh token, which I ask a new access token when this expired?

    Thanks in advance, Daniele

  • Lic
    Lic over 8 years
    thanks Frederic. Finally I used the JWT-auth library for laravel (github.com/tymondesigns/jwt-auth/wiki) with this process: 1. user sends his credentials to auth server 2. with the library I create an access token 3. I store this token like a password in AccountManager class of Android 4. When the token expired I request a new one using it 5. If the request of new token fails I ask to user to resend the credentials. Do you think is a right process?
  • Frédéric
    Frédéric over 8 years
    Generally we use the refresh token to limit the use of the client credentials being sent over the wire to the auth service. "The shorter the time to live of the access-token, the more often the client credentials will have to be used to obtain a new access-token, and therefore the more opportunities attackers have to compromise the client credentials . So if you have a single-use refresh-token, you can make the ttl of access-tokens arbitrarily small without compromising the client credentials." on stackoverflow.com/questions/3487991/…
  • j10
    j10 almost 7 years
    @Frédéric : if your refresh token leaks for example due to rooted Android phone --> then the attacker can keep on renewing the token . do you generate a unique refresh token for each user ?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How should I implement 'Token Based Authentication' to a set of web APIs in a secure way using PHP and MySQL (without using OAuth)?
How to send HTTP request using JWT token for authentication from cookie storage in android
How to invalidate a JWT token with no expiry time
ASP.NET Core and JWT token lifetime
Android: Is it a good idea to store Authentication Token in Shared Preferences?
JWT Token authentication, expired tokens still working, .net core Web Api
passport-local with node-jwt-simple
Best practices for server-side handling of JWT tokens
How do i generate JWT token from android
I am implementing phone authentication using firebase flutter. But there's a problem