Skip to main content Senior Full Stack Web Developer - Ossi Jalonen

Full stack part 3: World of Tokens

Published: 2023-11-30
Updated: 2024-01-22

You can go into much more detail about JWT really - I downloaded a pdf book about it not too long ago and it was 120 pages long. I didn’t get very far. And it did seem to go off topic at some point. Maybe the most common use I can think of is to simply authenticate user in a stateless system. Like accessing an API from some web app. The idea is that the back-end is stateless, so it doesn’t keep track of who’s logged in and who’s not. Instead, it generates a ‘token’ that’s going to get passed around when a user is accessing the API service. I believe it’s pointless for me to go into more detail, and the above is probably already too much and not explained well enough. I have to trust that all you reading this at this point have an idea. Ideally you’ll in the end have an idea of a few issues with JWT approach as well.

I’m going to point out a few things that are often missing from articles or tutorials that I’ve read about this subject. And I’m going to add a few relevant links again as well. (Or if it’s too much, just find the second link on this page to a good tutorial towards the bottom of the page)

Refresh token

What is a refresh token? If you followed the earlier tutorial and got all the way to the end, you still would not know. When you create a JWT token, you need to be aware that it is fairly powerful in the sense that until its expiry, it will give you access to the service that gave it to you. Even if you’ve logged out, unless they’ve implemented some type of blacklist/whitelist system. For this reason, the expiry of a JWT token may often be quite short, let’s say 10-15 minutes. Not 24 hours, like in the above tutorial.

Depending on the service provided, this longer expiry time may not really be a big issue, but let’s assume that we’ll go with a more reasonable 15 minutes. We don’t really want to have the user log in again, so we’ll have a second token that has a longer expiry time and once the jwt has expired, the user requests another jwt token, using the refresh token. A refresh token might be set to expire in 24 hours, or a week, for example. This adds a bit of complexity, and when you search for JWT tutorials, the refresh token is often missing completely. As it was in the above tutorial. And this makes is harder to find a standard way of building this type of authentication system.

Ok, so here’s a link to a tutorial that did include the use of refresh token. This time I’m not going to jump in when there’s an issue with anything to do with the tutorial, and also worth noting that you’ll also need to set up Redis to follow along:

https://developer.vonage.com/en/blog/using-jwt-for-authentication-in-a-golang-application-dr .

So if you’re done with that above one, before I get into one regular point of view about online tutorials (they don’t cover everything as they should), let’s point out another major thing about the internet - “if you first don’t succeed, try, try again” applies to googling. So the more you google, the more time you do waste, but eventually you may well find the article that saves the day. Or gets you from one issue to the next, more likely.

Next, more of the same - this time a written tutorial that promises in the title to do things ‘properly’. Basically a more advanced version of the previous tutorial. As a side note here, I find learning curves generally follow the same pattern, very easy start that lasts for too long, a kind of slow climb, followed by a steep rocky mountain, designed to leave most of us behind and only a few eager clever ones able to carry on to the top. So instead of mountain climbing, let’s continue with a nice and easy pace up the hill.

As there’s not a lot of going on in this post for all you guys looking for code, TL;DR:
“How to Properly Refresh JWTs for Authentication in Golang”
https://codevoweb.com/how-to-properly-use-jwt-for-authentication-in-golang/

This tutorial I will follow along and highlight when I get stuck, or have anything else to add. It’s very similar to previous as it’s using fiber and gorm, and is a jwt token authentication tutorial. I’m expecting this to cover a few additional features that would be part of a real project, as well as the refresh token missing from the earlier tutorial.

Let me check in - about half way in the tutorial, and there’d even be an earlier tutorial on the same site, on the same subject really. But I guess this will cover the topic in enough detail for now. So far so good, haven’t tried running the app yet, and there’s been a few gaps in the tutorial code, but mainly just adding imports and such. I’m sure the repo will serve as reference for the tutorial.

I made it to the end of the tutorial, it all makes sense and was maybe slightly more complicated than I thought necessary, but if it works, it’s one of the better tutorials I’ve come across on this subject. In many cases I might not have redis running for some small personal projects, but the code can be adjusted not to use redis easily enough. And it’s great that I now have a working example with the redis setup included. We’re next going to have a look at a tutorial or two about front-end JWT authentication and then see how we combine the two. Front-end is probably quite simple so we’re not too far off.