Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to support refresh tokens

See original GitHub issue

I’ve been trying to use your angular-jwt module with the express-jwt module to refresh expired tokens. However, the documentation for these two modules does not seem to match up or explain how they work with each other.

I’ve created an express route /api/auth/refresh where I am attempting to issue a new refreshed token, and I am calling this route from the ‘delegated endpoint’ feature of angular-jwt. But the following code throws a ‘token expired’ error and I’m therefore unable to continue and issue the refreshed token:

  // verify the existing token
  var profile = jwt.verify(req.body.token, secret);

I’m reporting this as an issue since the documentation (for both modules) should really explain how they are meant to interoperate, and the documentation here could cover how the refresh is intended to be implemented in Express.

Issue Analytics

State:
Created 9 years ago
Comments:11 (1 by maintainers)

Top GitHub Comments

30reactions

akotlarcommented, Jan 18, 2016

Claiming that token refresh is not within the domain of jwt implementations seems specious when this library supports token revocation. so +1

14reactions

mikelaxcommented, May 12, 2015

Dealing with expired tokens seems to fall outside of the scope of JWT, and more into application and business logic. I would think the application should have logic to ask for a refresh token (basically issue a new token) in the background.

If you automatically issue a new token when you receive a request with an expired token, that defeats the built-in security of JWT with having tokens expire in the first place.