JWT-Refresh purpose?

[Dragomir-Ivanov]

What is the purpose of JWT-Refresh? When I set -jwt-refreshes=5, loginsrv allows me to refresh a token,but only if it is already valid i.e. NOT Expired. What is the purpose of refreshing still valid token? I would assume, Refresh should refresh already expired tokens, without asking for user/pass.
Any advice appreciated, thanks!

[smancke]

Hi @g-w,
using this feature, it is possible to extend a user session for a web application.
E.g. for a web application I would set the token expiry time to 10min and schedule a refresh as long as the browser tab is open. To schedule the refresh, you can look at the expiry time in the token itself.
Refreshing an expired token would make the expiry effect less.

[Dragomir-Ivanov]

Thanks for the fast reply. 10min is way too intimidating for my web app users, I guess asking for user/pass for inactivity oh 24h is more acceptable. This is such a wonderful project. Probably I may add some MongoDB persistence for user/pass/claims, if such functionality is accepted.

[smancke]

Hi @Dragomir-Ivanov a persistance for user/pass/claims would of course be useful, but I would not include it in this project. It should live in a separate service.

[Dragomir-Ivanov]

Hi @smancke , no problem. Any advice how we should connect loginsrv to this other service. Maybe loginsrv can have some callbacks to call on each login/refresh attempt?
I haven't heard of OSIAM, and its web site seems dead.

It would be superb, if loginsrv can be used alone, and can have more dynamic user details. If we agree on path forward I can make PRs. Thanks!

[smancke]

Hi @Dragomir-Ivanov,
today, we merged a hook for a condigurable UserService endpoint to loginsrv
See: https://github.com/tarent/loginsrv#user-endpoint
Together with the httpupstream authentication it is simple to create a compatible standalone user service.

[Dragomir-Ivanov]

Thank a ton. Will take a look.