Below are the steps to do revoke your JWT access token:
- When you do login, send 2 tokens (Access token, Refresh token) in response to client .
- Access token will have less expiry time and Refresh will have long expiry time .
- Client (Front end) will store refresh token in his local storage and access token in cookies.
- Client will use access token for calling apis. But when it expires, pick the refresh token from local storage and call auth server api to get the new token.
- Your auth server will have an api exposed which will accept refresh token and checks for its validity and return a new access token.
- Once refresh token is expired, User will be logged out.
-- another explantation:
Assuming that this is about OAuth 2.0 since it is about JWTs and refresh tokens...:
just like an access token, in principle a refresh token can be anything including all of the options you describe; a JWT could be used when the Authorization Server wants to be stateless or wants to enforce some sort of "proof-of-possession" semantics on to the client presenting it; note that a refresh token differs from an access token in that it is not presented to a Resource Server but only to the Authorization Server that issued it in the first place, so the self-contained validation optimization for JWTs-as-access-tokens does not hold for refresh tokens
that depends on the security/access of the database; if the database can be accessed by other parties/servers/applications/users, then yes (but your mileage may vary with where and how you store the encryption key...)
an Authorization Server may issue both access tokens and refresh tokens at the same time, depending on the grant that is used by the client to obtain them; the spec contains the details and options on each of the standardized grants
source : https://stackoverflow.com/questions/27726066/jwt-refresh-token-flow