Implement JWT Refresh token in Open Event Attendee App
In open event attendee android app earlier only access token is used, which causes HTTP 401 many time due to expiry of the token. It needs to re sign-in for the user. Now we have implemented refresh token authorization with the open event server using retrofit and OkHttp. Retrofit is one of the most popular HTTP client for Android. When calling API, we may require authentication using a token. Usually, the token is expired after a certain amount of time and needs to be refreshed using the refresh token. The client would need to send an additional HTTP request in order to get the new token. Imagine you have a collection of many different APIs, each of them requires token authentication. If you have to handle refresh token by modifying your code one by one, it will take a lot of time and of course, it’s not a good solution. In this blog, I’m going to show you how to handle refresh token on each API calls automatically if the token expires.
- How refresh token works?
- Add authenticator to OkHttp
- Network call and handle response
- Conclusion
- Resources
Let’s analyze every step in detail.
How Refresh Token Works?
Whether tokens are opaque or not is usually defined by the implementation. Common implementations allow for direct authorization checks against an access token. That is, when an access token is passed to a server managing a resource, the server can read the information contained in the token and decide itself whether the user is authorized or not (no checks against an authorization server are needed). This is one of the reasons tokens must be signed (using JWS, for instance). On the other hand, refresh tokens usually require a check against the authorization server.
Add Authenticator to OkHTTP
OkHttp will automatically ask the Authenticator for credentials when a response is 401 Not Authorised retrying last failed request with them.
class TokenAuthenticator: Authenticator {
override fun authenticate(route: Route?, response: Response): Request? {
// Refresh your access_token using a synchronous api request
val newAccessToken = service.refreshToken();
// Add new header to rejected request and retry it
return response.request().newBuilder()
.header(AUTHORIZATION, newAccessToken)
.build()
}
}
Add the authenticatior to OkHttp:
val builder = OkHttpClient().newBuilder()
.authenticator(TokenAuthenticator())
Network Call and Handle Response
API call with retrofit:
@POST("/auth/token/refresh")
fun refreshToken(): Single<RefreshResponse>
Refresh Response:
@JsonNaming(PropertyNamingStrategy.SnakeCaseStrategy::class)
data class RefreshResponse(
val refreshToken: String
)
In a Nutshell
Refresh tokens improve security and allow for reduced latency and better access patterns to authorization servers. Implementations can be simple using tools such as JWT + JWS. If you are interested in learning more about tokens (and cookies), check our article here.
Resources
- Android – Retrofit 2 Refresh Access Token with OkHttpClient and Authenticator: https://www.woolha.com/tutorials/android-retrofit-2-refresh-access-token-with-okhttpclient-and-authenticator
- Refresh Tokens: When to Use Them and How They Interact with JWTs: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/
Tags
Eventyay, open-event, FOSSASIA, GSoC, Android, Kotlin, Refresh tokens