12

I have an android app. It connects with a REST API developed with Jersey. My REST End points are secured with Tokens. Below is how I generate them.

Algorithm algorithm = Algorithm.HMAC256(secret);
String token = JWT.create()
    .withClaim("userName","myusername)
    .withExpiresAt(expirationDate)
    .sign(algorithm);

Below is how I validate the token

public boolean validateTokenHMAC256(String token, String secret) throws UnsupportedEncodingException, JWTVerificationException
    {       
        Algorithm algorithm = Algorithm.HMAC256(secret);


        JWTVerifier verifier = JWT.require(algorithm) 
                .build(); //Reusable verifier instance
            DecodedJWT jwt = verifier.verify(token);

            Claim usernameClaim = jwt.getClaim("username");
            String username = usernameClaim.asString();
            System.out.println(username);


        return true;
    }

In my REST API I have a filter and that filter checks every request to see whether the token is as it is. Below is the code.

@Secured
@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter{

    //private static String authorizationSecret = "ZXW24xGr9Dqf9sq5Dp8ZAn5nSnuZwux2QxdvcH3wQGqYteJ5yMTw5T8DBUJPbySR";

    public AuthenticationFilter()
    {
        System.out.println("test printing");
    }

    @Override
    public void filter(ContainerRequestContext crc) throws IOException
    {
        String headerString = crc.getHeaderString("Bearer");
        System.out.println("bluh: "+headerString);
        System.out.println("test printing");

        try
        {
            boolean validateToken = validateToken(headerString, AuthKey.authorizationSecret);
            System.out.println("valid");
        }
        catch(Exception e)
        {
            System.out.println("invalid");
            crc.abortWith(
                Response.status(Response.Status.UNAUTHORIZED).build());
        }

    }

    private boolean validateToken(String strToken, String secret) throws UnsupportedEncodingException, JWTVerificationException
    {
        Token token = new Token();
        return token.validateTokenHMAC256(strToken,secret);
    }



}

The above code will be called when the user login to the application. However the token will be expired in 60 minutes. I know that after the token is expired either I have to take the user back to sign in screen or refresh the token. I went through the advices in here and here

But I do not understand the following.

  1. How can I figure out whether the token has to be renewed? I thought I should do that after it is expired, but seems that is not the case. If I ask it to refresh in now<exp it will refresh in every request.

  2. How can I assign and send this token back to the user? Currently when the user login on, he will get the token and he will save it in a variable. For the refreshed token to work, do I have to call the login method again (So the token will be sent to the user) or JWT it self will handle the case?

  3. How do I actually refersh using java-jwt ?

Community
  • 1
  • 1
PeakGen
  • 21,894
  • 86
  • 261
  • 463

1 Answers1

14
  1. How can I figure out whether the token has to be renewed? I thought I should do that after it is expired, but seems that is not the case. If I ask it to refresh in now

You need to refresh the token before it is expired. Decide your policy:

  • issue a fresh token in every request

  • issue a fresh token when the current one is close to expire. e.g. 10 min

  • let client app request a new token when it needs it using a "refresh service" of your api. For example

@GET
@Path("/jwt/refresh")
@Produces(MediaType.TEXT_HTML)
public String refresh(){
    //Build a returns a fresh JWT to client 
}
  1. How can I assign and send this token back to the user?

If you issue a fresh token during a request, you can return it in a special header that client will read during processing of the response. If you publish a "refresh" service as described above, then the client will call it independently when the current JWT is close to expire

Redirect to login method is not a good alternative because you will lose the current request

  1. How do I actually refresh using java-jwt

Just issue a new token

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Thanks. `If you stablish a refresh service, then the client will call it independently.` - I am not clear, please explain – PeakGen Mar 30 '17 at 08:36
  • Thanks. So basically inside the refresh() method what I have to do is; 1. check whether the token is expired. 2. If not expired call the first set of code I have in my question, which is capable of generating a token. Am I correct? `If you publish a "refresh" service as described above, then the client will call it independently when the current JWT is close to expire` - That means the client should track whether his JWT is close to expire or not right? My client is an android app, so the android app should check whether the token is expired, isnt it? – PeakGen Mar 30 '17 at 10:02
  • yes, that's it. To check expiration, the android app can check the `exp` claim in the token payload – pedrofb Mar 30 '17 at 10:54