Implementing long-lived JWTs with configurable expiration

03 Oct 2023

JSON Web Tokens (JWTs) are widely used in modern web applications for authentication and authorization purposes. By default, JWTs have a short expiration time, typically ranging from a few minutes to a few hours. However, in some cases, it may be necessary to have long-lived JWTs that can last for days, weeks, or even months.

In this blog post, we’ll explore a strategy for implementing long-lived JWTs with a configurable expiration. Let’s dive in!

Why use long-lived JWTs?

Long-lived JWTs can be beneficial in scenarios where frequent token regeneration is not desirable. For example:

Applications that have a session-based architecture and require the user to stay logged in for a longer period.
Applications that rely on offline access tokens that don’t require constant user interaction.
Microservices that need to communicate securely over a longer duration.

Configuring JWT expiration

To implement long-lived JWTs with configurable expiration, we need to make a few changes to our token generation and verification process. Here’s an example using the jsonwebtoken library in Node.js:

Generating a long-lived JWT: ```javascript const jwt = require(‘jsonwebtoken’); const privateKey = ‘your-private-key’;

const expiresIn = ‘30 days’; // Set the desired expiration period

const payload = { /* Your payload data */ };

const token = jwt.sign(payload, privateKey, { expiresIn });

In the example above, the `expiresIn` parameter specifies the time after which the token should automatically expire. You can set it to any valid time format or use a combination of days, hours, minutes, and seconds.

2. Verifying the JWT:
```javascript
const jwt = require('jsonwebtoken');
const publicKey = 'your-public-key';

const token = 'your-jwt-token';

jwt.verify(token, publicKey, (err, decoded) => {
  if (err) {
    // Token is expired or invalid
    // Handle the error
  } else {
    // Token is valid, proceed with authentication/authorization logic
    // Access the decoded payload via the variable 'decoded'
  }
});

In the verification step, the library automatically checks the expiration time set in the token and throws an error if the token has expired.

Refreshing long-lived JWTs

With long-lived JWTs, refreshing the token periodically becomes important. This can be achieved by implementing a token refresh mechanism. When the token is close to expiration, the client can send a refresh request to the server, which then issues a new JWT with a refreshed expiration time.

Conclusion

Configuring long-lived JWTs with a customizable expiration time allows for greater flexibility in managing authentication and authorization in web applications. Remember to strike a balance between security and convenience when setting the expiration time for your tokens.

Now you can confidently implement long-lived JWTs with the knowledge of how to configure their expiration. Happy coding!

#TechBlog #JWT #Authentication