Hi I don't know that I understand correct how it should work with refresh token. I am creating spring boot backend with angular, and I want to implement JWT. Currently I am working on backend. access_token expire in 15 mins refresh_token: expire date 7 days
Make sure you follow the RFC more details about the same here:
https://datatracker.ietf.org/doc/html/rfc6749#page-10
And also look at the Security Threats and Mitigations here - https://datatracker.ietf.org/doc/html/rfc6750#section-5.1
What you're referring to is Token Disclosure
To protect against token disclosure, confidentiality protection MUST be applied using TLS [RFC5246] with a ciphersuite that provides confidentiality and integrity protection. This requires that the communication interaction between the client and the authorization server, as well as the interaction between the client and the resource server, utilize confidentiality and integrity protection. Since TLS is mandatory to implement and to use with this specification, it is the preferred approach for preventing token disclosure via the communication channel. For those cases where the client is prevented from observing the contents of the token, token encryption MUST be applied in addition to the usage of TLS protection. As a further defense against token disclosure, the client MUST validate the TLS certificate chain when making requests to protected resources, including checking the Certificate Revocation List (CRL) [RFC5280].
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.