How to silently refresh expired JWT token with OAuth2?

2.6k views Asked by At

We have decided to switch from Hazelcast shared session to Stateless JWT authentication/authorization with OAuth2 and found out a problem that doesnt fit our infrastructure described below.

Current Hazelcast shared session

So we have multiple Self-contained systems (scs) that may be accessed by direct link i.e. mysite.com/scs1 and mysite.com/scs2.

Stateless JWT so called Session

Each scs has it's own UI and BackEnd, but "session" (implemented via Stateless JWT Authorization) has to be valid across multiple scs'es.

OAuth2 Authorizaion Server is a dedicated server (UAA). In the OAuth2 terminology, each scs is a Resource Server.

Let's assume that user has logged into scs1 (via UAA) and got JWT with TTL=10 minutes and RefreshToken with TTL=30 minutes. Then he leaves that tab in browser for 15 minutes. JWT expires, but the tab still contains the previous page from scs1. And user clicks a link on that page that follows to mysite.com/scs3.

scs3 receives a request, checks JWT and finds out that it has expired. But we have a RefreshToken (still alive for 15 minutes) that may refresh JWT.

Is it possible to return a response from scs3 that would ask browser to go to UAA and silently refresh JWT ?

JWT has expired

Maybe some kind of REDIRECT to /uaa/authorization with an ability to add RefreshToken Header?

1

There are 1 answers

0
aalekseyev On

We have finally found out how to deal with token refresh in our case.

JWT has TTL=10min RefreshToken has TTL=30min

Javascript, embedded in each page of our site refreshes JWT each 8-9 minutes. So when User has an opened tab in his browser, the refresh procedure will happen seamlessly.

A corner case is when User:

  1. Opens tab mysite.com/scs1
  2. Logs in
  3. Closes tab
  4. Waits 15 minutes. JWT expires, RefreshToken is still alive.
  5. Opens new tab and enters mysite.com/scs1 or scs2 etc.

At this point the BackEnd receives only JWT which is expired. So BackEnd redirects User to a dedicated web-page /try-refresh?uri=mysite.com/scs1

  1. try-refresh page contains ONLY javascript which tries to refresh token and in successful case redirects User back to address from uri parameter