JWT Gotchas

Anurag Jain
2 min readJan 1, 2023

Why refresh token required in JWT

In JWT Token approach, if token is decoded successfully it is trusted by the application. If we don’t set the expire then this token will be trusted forever and will become a security issue and hence token expire should be set(generally 5min). If token get expired in 5 min then client will get logged out and hence we need a refresh token which basically help us in refreshing the token. When client try to refresh the token then Auth server may reject the refresh token if this token is blacklisted due to any reason.

Definition of token is decoded successfully

  • it is not expired
  • audience is same
  • decoded with correct key (secret if HS256 algo, public key if RS256 algo)

Type of Algos

HS256

this requires the secret key to verify the signature. This secret key is shared between server and auth server. This approach doesn’t work on frontend as you can’t add secret key in UI code.

RS256

JWT token is created using private key and can be verified using public key.

When you try to verify jwt token from jwt.io it says verify even if it we didn’t provide the public key. How JWT.io verified the token? — https://stackoverflow.com/questions/64297228/where-does-jwt-io-get-the-public-key-from-jwt-token

The token contains the issuer (iss) of the token and the key id (kid), which identifies the public key that is needed to verify the signature With this information, jwt.io can find the public key in form of a JWK (JSON Web Key) on a JWKS endpoint (/.well-known/jwks.json), to verify the token. A JWKS (JSON Web Key Set) contains an array of JWKs, the link shows an example.

This public and private keys should get rotated for the security purpose and hence Next Question Comes in the mind is, What is the advantage of having JWT mechanism as we always have to call auth server to fetch public key — https://stackoverflow.com/questions/74726221/why-to-fetch-public-key-dynamically-for-verifying-jwt-token-rsa-256

No, you don’t need to fetch the key every time. The jwt contain a keyid, so when you try to validate your token, check if you have already cached the public key. If not fetch a new key and cache it. Else use the cached key.

--

--