JWT spring boot 2

Question

Hi I don't know that I understand correct how it should work with refresh token. I am creating spring boot backend with angular, and I want to implement JWT. Currently I am working on backend. access_token expire in 15 mins refresh_token: expire date 7 days

1. When angular sends request with credentials, my spring boot generate jwt token and refresh token. Each refresh token, and access token have different secret(because if they have same secret, someone can access resources with refresh token)
2. If token expire, angular should access endpoint /refresh_token, on this endpoint send header "Authorization":"Bearer REFRESH_KEY_VALUE", and obtain both new refresh_token, and access_token

Answer 1

Make sure you follow the RFC more details about the same here:

https://datatracker.ietf.org/doc/html/rfc6749#page-10

And also look at the Security Threats and Mitigations here - https://datatracker.ietf.org/doc/html/rfc6750#section-5.1

What you're referring to is Token Disclosure

To protect against token disclosure, confidentiality protection MUST be applied using TLS [RFC5246] with a ciphersuite that provides confidentiality and integrity protection. This requires that the communication interaction between the client and the authorization server, as well as the interaction between the client and the resource server, utilize confidentiality and integrity protection. Since TLS is mandatory to implement and to use with this specification, it is the preferred approach for preventing token disclosure via the communication channel. For those cases where the client is prevented from observing the contents of the token, token encryption MUST be applied in addition to the usage of TLS protection. As a further defense against token disclosure, the client MUST validate the TLS certificate chain when making requests to protected resources, including checking the Certificate Revocation List (CRL) [RFC5280].