This post shows the workflow of authentication using JWT tokens.
The access token should have short life while the refresh token can have long life.
Signup flow
- Client sends client id and password to the server.
- Check if client already exists in the database or not.
- If client does not exist, password is hashed and user data is saved in the database.
Login flow
- Client sends client id and password to the server.
- Check if client exists and password is correct.
- If password is correct, generate access token and refresh token.
- Send tokens to the client and store it as HTTP only cookie to prevent attackers from getting access to the token.
Flow for other request
- Validate the access token. If access token is valid, the request is authenticated.
- If access token is not valid, validate the refresh token.
- If refresh token is not valid, logout the user.
- If refresh token is valid, generate new access token and refresh token and send to the client.
Logout flow
- Invalidate the refresh token and access token.