preface

Record the front end separation ————token timeout refresh policy!

Demand scenarios

Yesterday, I posted an article about the token authentication mechanism in user information transfer. I discussed it with several group members. Some students have a question: Token is invalid, what should we do? Force redirect to the login page?

In fact, in theory, if the user is an active user and the token expires, if the user is operating the form and is suddenly directed to the login page, the user experience will be poor.

Achieve the goal

  • extendedtokenExpiration time
  • Active userstokenWhen expired, the user is unaware of the dynamic refreshtoken“, so that they are always online
  • Inactive users are intokenWhen expired, it is directed to the login page

Login return field

How to issue the token, please see the last tweet, not too much introduction here. The data returned by the login interface is as follows:

@Data
public class LoginVo implements Serializable {

    private static final long serialVersionUID = 6711396581310450023L;

    / /... Omit some business fields
    
    /** * Token expiration time default 15 days */
    private String jwt;
    
    /** * Refresh token expiration time can be set to twice JWT or even longer for dynamic refresh token */
    private String refreshJwt;
    
     /** * Token expiration timestamp */
    private Long tokenPeriodTime;

}
Copy the code

Please refer to the comment for the specific meaning of the returned field and briefly explain it here:

  • JWT: submitted when the user normally accesses the interfacetokenSet the expiration time to be longer, 15 days
  • RefreshJwt: refreshtokenThe expiration time can be set tojwtTwice as much, or even longer, for dynamic refreshtokenWhen submitting background validation
  • TokenPeriodTime:tokenExpiration time stamp. The front-end needs to proactively determine whether the expiration date is expired before invoking the interface. If the expiration date is expired, the front-end submits the expiration daterefreshJwtaccesstokenThe refreshed interface is refreshed

Dynamic Refreshing Token

After the front-end detects that the Token has expired, the interface with refreshJwt is accessed by the backend refresh Token, and the server still resolves and authenticates refreshJwt in the interceptor

  • ifrefreshJwtThe login is expired and the login page is forcibly redirected
  • ifrefreshJwtIf it is still valid, a new one is issuedtokenBack, the front end uses the latesttokenMake an interface request

conclusion

  • If it’s an active user, allow it to berefreshJwtExpiration time andtokenThe difference between expiration times is dynamically updated during this periodtoken, so that the user can keep the login state in the state of no perception
  • If the user is not active, therefreshJwtWhen the expiration date is up and you are still not using the system, you are considered inactive and should be redirected to the login page

The last

The length is short, mainly continuation of the previous article before the separation of the application – user information transfer legacy issues to do a summary. If you have a better way, welcome to leave a message to let me know, thanks. The follow-up will update the original article from time to time, welcome to pay attention to the public number “Zhang Shaolin students”!