Tokens

Types of tokens used by Passage and how to secure them.

Passage uses two types of tokens: auth tokens and refresh tokens. Let's talk about what they are and how to make sure they are used securely.

Auth tokens

Auth tokens are automatically configured for your application when it is created. These tokens are JWTs, which are signed by Passage and verified by your web server to confirm the user is logged in. You can configure the session expiration time in the Passage Console.

Refresh tokens

The primary downside to using JWTs for session tokens is that you can not revoke a JWT - it is valid until the expiration time. The benefit here is that verification of the token can be done offline, which makes it a great fit for using a 3rd party service like Passage.

To mitigate some of this risk, Passage support refresh tokens which can be turned on for any application. Refresh tokens are long lived tokens that can be used to "refresh" a session and can be revoked. A typical app configuration would look like this: refresh tokens are enabled with the maximum session length you want to allow (say 24 hours). Then you set the auth token expiration to something short (say 1 minute). Both of these tokens are stored client side and when auth token expires, the client will check with Passage to see if the refresh token is still valid. If it is, a new auth token will be issued. If not, the user is logged out. If you use the Passage User class or an Element, this will be automatically handled for you.

Token storage

By default, Passage stores the auth tokens in cookies and local storage for easy access. These tokens are accessible in JavaScript, which is necessary for Passage to work. Since tokens cannot be invalidated before the expiration time, it is important to ensure that when you log out a user, you clear the token from all browser storage. If you use the default sign out functionality in the Passage-JS client SDK, we will handle this for you. But if you use a custom TokenStore or store the token in a different place, be sure to remove it from storage when a user is logged out.