Spring Boot Security - JWT Refresh Token Explained In Details | JavaTechie

after the token expired he will get 401 unauthorized error, not 403

Thankyou sir , incase i want to look for setting cors for spring security, what video i can find from you

It's is a very good video... for completion of the security series please make a video on jwt logout please

You explained the things very well. Thank you so much. But I have one thing to mention, refresh token expiry time should also be extended in the database for every successful refresh token request. Isn't it? If the user request for the new token before the expiry of the refresh token, new token will be given as well as the refresh token time should also be extended and updated in the database. Otherwise after some time the user needs to re-login when the refresh token is expired.

Greetings from Brazil.Thank you sir. Excelent didatic!

Thank you sir , your video is very helpful.
And a request to you , please make a detailed video to explain about keycloke and it use in production ready code

Hi sir, thanks for your videos. Could you please suggest free cloud SQL data base like Nosql mongodb atlas. 😊

Thank you Basant,
It was really informative video.

Had a doubt on why could we not refresh token our self when we get a token expiration exception, rather than creating a table.

The only way i could see we cannot do it is if jwt checks for expiration first and and then the whole token validity.

can we work with refresh token without creating table refreshtoken in database ?

@Javatechie great sessions about JWT. have 2 Qs 1. in real time, we should be giving the expiration date of token to be same as JWT expiry time, am I right? 2. from UI, when we get expired message from API call, UI have to make another call to /refreshToken with the token value, is my understanding correct?

The refresh token can only be used once. After that, a new accessToken\refreshToken pair should be returned with a new expired time. Otherwise, this token has no meaning. And when the refreshToken expired, the client needs to log in again using the login\password

Hi Basnt,
Thank you for sharing the knowledge and for the informative content.
Can you please explain if the refresh token concept can be applied for communication between 2 microservices.
Ideally how should the behavior be if one microservice API is trying to access other microservice API which is secured with JWT but the access token is expired? Thanks!

Great video. Can you please make a video for securing spring boot 3 apps along with react front end together with keyclcak. It would be greate video.

As I know, it's not a good practice to send the role in the JWT. You should implement an ACL in backend based on username to validate the role.
Btw, nice tutorial ! Good job!

Hello Sir , Thank you for this excellent video ,I have a doubt sir , refresh token job is simply reduce the reaunthentication of user by providing a new JWT or access token when his token expires , right !! Is it soo then in our real world most of application is using refresh token , in this way whenever user auth token expires then with the help of refresh token they will re generate again and again , then they should never be get session out and logged out , they can access forever the endpoints , but they do get logged out because of token expiration , why sir ?

kbk

Thanks Basant, you always make a great videos.
Could you please add an extra video to your spring security series where you use Spring Vault to store sensitive data like your jwt secret.. etc

Don't we have to give back a new token with the new access token, and update its expiry in db?