Skip to content

Authentication Protocol

Jump to bottom
Danny Clarke edited this page Oct 14, 2018 · 2 revisions

Rough thoughts:

  • use HTTPS
  • send tokens as cookies marked as HTTP & secure
  • always send both access token (short lived) and refresh token (long lived), both jwts
  • authorize using following protocol:
    • check access token expiration:
      • valid: authenticated
    • check refresh token expiration:
      • expired: 403
    • check refresh token against black list:
      • blacklisted: 403
    • refresh access token, optionally bump ttl of refresh token
    • continue on with logic

Clone this wiki locally