Refreshing an Access Token with Ktor and JWT

Published by Tomas Zezula on

We’re back with another part of the series Conquer Authentication with Ktor. Remember where we left off in Part 6? We learned how to implement authentication with JWT but that lingering question remained: What happens once the access token expires? Today, we will address this concern and learn how to easily refresh an expired token in the background, without asking the user to re-authenticate.

This post is part of a hands-on tutorial. Feel free to check out the project from GitHub and follow along.

Table of Contents

Juggling Two Tokens instead of One

To automatically refresh the access token, we need two types of tokens. First, there is the actual short-lived access token. Let’s say it expires in an hour. Next, we need a so called refresh token. It pairs with the access token and has typically a considerably longer life span. In our case, let’s assume that the refresh token lasts a day before it expires.

It’s tempting to model these tokens as two separate data classes, like this.

data class AccessToken(val token: String, val expiry: Instant)
data class RefreshToken(val token: String, val expiry: Instant)

However, this isn’t necessary, since the Ktor’s JWT library automatically verifies the exp claim and throws a JWTVerificationException when the token expires. We will though create a wrapper for the refresh token to simplify the parsing process later on.

import kotlinx.serialization.Serializable

@Serializable
data class RefreshToken(val token: String)

The tokens are generated the exact same way. The only difference is their lifespan, which is set as a configuration parameter in application.conf.

auth {
  jwt {
    expirationSeconds {
      accessToken = 3600    // 1 hour
      refreshToken = 86400  // 1 day
    }
  }
}

The function that generates the respective token makes use of the jwtConfig object loaded from the application.conf and in our case it is defined as an extension method in JWTConfig.kt.

import com.auth0.jwt.JWT
import com.auth0.jwt.algorithms.Algorithm
import java.time.Clock

fun JWTConfig.createToken(clock: Clock, user: User, expirationSeconds: Long): String =
    JWT.create()
        .withAudience(this.audience)
        .withIssuer(this.issuer)
        .withClaim("name", user.name)
        .withClaim("role", user.role)
        .withExpiresAt(clock.instant().plusSeconds(expirationSeconds))
        .sign(Algorithm.HMAC256(this.secret))

Finally, we put the pair of tokens in the response to a successful login – see Routing.kt for full implementation details.

// Simplify the call to create a new token
fun createToken(expirationSeconds: Long): String =
  jwtConfig.createToken(clock, user, expirationSeconds)

// Create a pair of tokens
val accessToken = createToken(jwtConfig.expirationSeconds.accessToken)
val refreshToken = createToken(jwtConfig.expirationSeconds.refreshToken)

// Return the pair in the response (provided the user authentication was successful)
call.respond(
  mapOf(
    "accessToken" to accessToken,
    "refreshToken" to refreshToken
  )
)

Once the client receives the response, it should save both the access and the refresh token. From now on, the client will use the access token to access protected resources. When the server eventually rejects the client request due to an expired access token, the client will use the stored refresh token to obtain a new pair of tokens.

Refreshing an Expired Token

In order to refresh an expired access token, the client sends a request to a specific endpoint provided by the server. The details may vary depending on the situation, but in our example, we simply expose a POST /refresh endpoint on our server.

The endpoint is defined in Routing.kt.

import kotlinx.serialization.Serializable

post("/refresh") {
  // Extract the refresh token from the request
  val refreshToken = call.receive<RefreshToken>()

  // Verify the refresh token and obtain the user
  val user = jwtConfig.verify(refreshToken.token) ?: run {
    call.respond(HttpStatusCode.Forbidden, "Invalid refresh token")
    return@post
  }

  // Create new access and refresh tokens for the user
  val newAccessToken = jwtConfig.createToken(
    clock, user, jwtConfig.expirationSeconds.accessToken
  )
  val newRefreshToken = jwtConfig.createToken(
    clock, user, jwtConfig.expirationSeconds.refreshToken
  )
            
  // Respond with the new tokens
  call.respond(
    mapOf(
      "accessToken" to newAccessToken,
      "refreshToken" to newRefreshToken
    )
  )
}

@Serializable
data class RefreshToken(val token: String)

As soon as the client receives a new pair of tokens, it should discard the old pair and replace it with the new one. The client continues using the new access token until the server eventually rejects the client request due to the access token’s expiry. At that point, the client calls the /refresh endpoint using the renewed refresh token, and the whole cycle repeats.

Summary

Thanks for reading, hope you found the post useful. Today we looked at improving the user experience by implementing a token refresh in the background. We tapped into the Ktor’s JWT library to do most of the work for us. Hope you appreciate we only had to write minimum of custom code to achieve what we needed.

Thanks for reading! Today, we explored how to enhance user experience by implementing a token refresh in the background. We tapped into Ktor’s JWT library, which significantly simplified the entire implementation. I hope you found this valuable, especially how we achieved our goals with a minimal amount of custom code. Stay tuned for our next post where we will level up our security measures with OAuth.

Categories: KotlinProductivityTutorials
Tags:

Tomas Zezula

Hello! I'm a technology enthusiast with a knack for solving problems and a passion for making complex concepts accessible. My journey spans across software development, project management, and technical writing. I specialise in transforming rough sketches of ideas to fully launched products, all the while breaking down complex processes into understandable language. I believe a well-designed software development process is key to driving business growth. My focus as a leader and technical writer aims to bridge the tech-business divide, ensuring that intricate concepts are available and understandable to all. As a consultant, I'm eager to bring my versatile skills and extensive experience to help businesses navigate their software integration needs. Whether you're seeking bespoke software solutions, well-coordinated product launches, or easily digestible tech content, I'm here to make it happen. Ready to turn your vision into reality? Let's connect and explore the possibilities together.

Related Posts

Code coverage abstraction
Kotlin

Unlocking Test Coverage in Kotlin Multiplatform with JaCoCo and GitHub Actions – Part 1

Kotlin Multiplatform unlocks new possibilities for developing cross-platform applications. However, this innovative approach does not come without its complexities. Especially when delving into its specific Gradle configuration. One of the challenges is establishing a reliable, automated test coverage report - an integral part of maintaining code quality and integrity. In this mini-series, we'll learn how to leverage JaCoCo Gradle plugin to generate code coverage reports. Additionally, we'll leverage GitHub Actions to generate a coverage badge independently from any third-party platform. This approach simplifies the process by keeping everything within the GitHub ecosystem, providing a seamless workflow for your multi platform projects.

Ktor auth series recap
Kotlin

Conquer Authentication with Ktor: Summary

Our journey of exploring authentication with Ktor has come to an end. Thanks to all of you who have followed along through this tutorial series. Over the past two months and across ten comprehensive posts, Read more…

CORS inspector
Kotlin

Conquer Authentication with Ktor: Part 8 – Protect Access with CORS

Ensuring security and flexibility of web services when it comes to cross-origin resource sharing is essential. This is elegantly managed through the implementation of Cross-Origin Resource Sharing (CORS), an established practice for modern web applications. A well defined CORS policy not only enhances security but also promotes a seamless interaction between different domains. Thankfully, Ktor makes this process straightforward and efficient. In this final part of our series on authentication with Ktor, we will provide clear examples to guide you. By the end of this post, you'll see how effortless it is to integrate CORS into your Ktor projects, ensuring your services are both secure and accessible.