this doing a Spring Boot application (Rest API, JPA, etc) uses (via Rest) from a website (Angular) and a mobile app (Android).
The user using the mobile app (in the future) will be able to authenticate via Facebook, Google, etc and store in database some information received from the social networks necessary for the app.
I implemented the authentication by providing username and password(saved on database) and by releasing an access token (JWT) from the backend, used by both frontend at every REST request to Spring Boot.
Now I would like that for the user's mobile app not to be entered username and password every time, but to remain logged in for "always".
Reading on the internet I saw that it is possible to generate a refresh token that the app can use when the backend (Spring Boot) return HTTP Error 401. The app uses the refresh token to ask the backend for a new access token. If the refresh token has also expired then the user is forced to re-enter the username and password otherwise if it remains logged.
Which flow is correct and secure?
Thks
Aucun commentaire:
Enregistrer un commentaire