If the token is stolen, or if a user wants to sign out of all of their devices, they could still access the application for up to 3 days!įor this reason, we're going to create a Redis database that stores valid refresh tokens for users. However, there is a danger in creating a token that lives for 3 days. The idToken will allow the user to access various applications in our domain.Īt the end of the day, we do this to make accessing our applications more pleasant, since it would be a pain in the arse to need to login every 15 minutes. This allows a user with an expired idToken to reach out to this account application with their refreshToken to get a new idToken. Recall that we set the duration to expiration to 3 days for refresh tokens and 15 minutes for ID tokens. ![]() Why store these tokens at all? Because this gives us the ability to invalidate user's long-lived tokens. In the diagram, I've grayed out and checked off the completed portions required to sign up a user. You can see these details below in the calls from NewPairFromUser to the token repository. ![]() However, we omitted an important detail in our application - storing refresh tokens. We recently implemented signing up a user (see parts 8-10 of this series). We're in for another big one today, but hopefully the patterns we established while learning to signup users will become even clearer as we store tokens. making sure to send the user a clear error message if they send a non-JSON body.Īs there were a lot of changes, you may want to check our the Github repository's branch called lesson-11, to make sure you have properly updated all of your code!. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |