Shubham's Blog

Understanding Access Tokens and Refresh Tokens in Web Applications

Shubham's photo
Shubham
·

4 min read

In modern web applications, security and efficient session management are paramount. Access tokens and refresh tokens play a crucial role in achieving secure authentication and maintaining user sessions. Let's delve into what these tokens are, their purposes, and how they work together in a simple example.

What are Access Tokens and Refresh Tokens?

Access Token:

  • Purpose: An access token is like a digital key that allows a user to access specific resources or perform actions within an application.

  • Lifespan: Typically short-lived (e.g., minutes), it grants temporary authorization to the user based on their logged-in state and permissions.

  • Usage: Presented by the client application (such as a web browser or mobile app) to the server with each request to access protected resources.

Refresh Token:

  • Purpose: A refresh token is used to obtain a new access token when the current access token expires.

  • Lifespan: Longer-lived than access tokens (e.g., days to months), it allows for extended session management without requiring the user to log in repeatedly.

  • Usage: Stored securely on the client side, it is used behind the scenes to renew access tokens, maintaining seamless user sessions.

Example Scenario: Simple Authentication System

Let's consider a basic web application where users log in to access their profile information.

Step-by-Step Implementation

  1. User Authentication:

    • When a user successfully logs in with their credentials (username/password), the server generates an access token and a refresh token.

    • These tokens are sent back to the client (browser or mobile app) and stored securely (e.g., in browser storage or app memory).

  2. Accessing Protected Resources:

    • The client includes the access token in the header of each request to the server when accessing protected endpoints (e.g., fetching user profile data).

    • The server verifies the access token to ensure the user is authenticated and authorized to access the requested resources.

  3. Token Expiry and Refresh:

    • Access tokens have a short lifespan to limit security risks if compromised.

    • When an access token expires, the client uses the refresh token to request a new access token from the server without requiring the user to log in again.

    • The server validates the refresh token and issues a new access token if the refresh token is valid.

Implementation Example (Node.js and Express)

// Example implementation using Node.js and Express

// Dummy user database
const users = [
  { id: 1, username: 'user1', password: 'password1' }
];

// Generate tokens function
const generateAccessToken = (user) => {
  return jwt.sign({ username: user.username }, process.env.ACCESS_TOKEN_SECRET, { expiresIn: '15m' });
};

const generateRefreshToken = (user) => {
  return jwt.sign({ username: user.username }, process.env.REFRESH_TOKEN_SECRET);
};

// Login route
app.post('/login', (req, res) => {
  // Authenticate user (dummy example, actual implementation would include password hashing)
  const { username, password } = req.body;
  const user = users.find(u => u.username === username && u.password === password);

  if (!user) {
    return res.status(401).json({ message: 'Invalid credentials' });
  }

  // Generate tokens
  const accessToken = generateAccessToken(user);
  const refreshToken = generateRefreshToken(user);

  res.json({ accessToken, refreshToken });
});

// Protected route example
app.get('/profile', authenticateToken, (req, res) => {
  // Access token verified, return user profile data
  res.json(req.user);
});

// Middleware to authenticate access token
const authenticateToken = (req, res, next) => {
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1];

  if (!token) {
    return res.status(401).json({ message: 'Access token not provided' });
  }

  jwt.verify(token, process.env.ACCESS_TOKEN_SECRET, (err, user) => {
    if (err) {
      return res.status(403).json({ message: 'Invalid token' });
    }
    req.user = user;
    next();
  });
};

// Example refresh token route
app.post('/token', (req, res) => {
  const refreshToken = req.body.token;
  if (!refreshToken) {
    return res.status(401).json({ message: 'Refresh token not provided' });
  }
  jwt.verify(refreshToken, process.env.REFRESH_TOKEN_SECRET, (err, user) => {
    if (err) {
      return res.status(403).json({ message: 'Invalid refresh token' });
    }
    const accessToken = generateAccessToken({ username: user.username });
    res.json({ accessToken });
  });
});

Conclusion

Access tokens and refresh tokens are essential components of secure authentication and session management in web applications. By understanding their roles and implementing them correctly, developers can ensure user data remains protected while providing a seamless and secure user experience.

By using tokens, applications can effectively manage user sessions, limit exposure of sensitive data, and provide secure access to resources, contributing to overall application security and user trust.

Implementing tokens involves generating, verifying, and renewing them as needed to maintain secure and efficient user authentication and authorization processes. This ensures that users can access the application securely and seamlessly while protecting their data and maintaining session persistence.