Spring Boot Security - JWT Refresh Token Explained In Details | JavaTechie

Подписаться 168 тыс.

Просмотров 37 тыс.

50% 1

In this tutorial, we demonstrate how to implement a refresh token mechanism in a Spring Boot application secured with JSON Web Tokens (JWT). Refresh tokens improve the security and user experience of your application by allowing clients to request new access tokens without requiring users to re-authenticate every time their access token expires.
By the end of this video, you'll have a solid understanding of how to implement a refresh token mechanism within your Spring Boot application, providing a more secure and seamless experience for your users
#JavaTechie #springBoot #JWT
Spring boot microservice Premium course lunched with 70% off 🚀 🚀
Hurry-up & Register today itself!
COURSE LINK : javatechie5246.ongraphy.com/
PROMO CODE : JAVATECHIE50
GitHub:
github.com/Java-Techie-jt/jwt...
Blogs:
/ javatechie
Facebook:
/ javatechie
Join this channel to get access to perks:
ru-vid.comjoin
guys if you like this video please do subscribe now and press the bell icon to not miss any update from Java Techie
Disclaimer/Policy:
--------------------------------
Note : All uploaded content in this channel is mine and its not copied from any community ,
you are free to use source code from above mentioned GitHub account

Наука

Опубликовано:

18 май 2023

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 105

@TheMaxcraft1 День назад

Very nice explanation man

@user-bz5de4gi1y 10 месяцев назад

The refresh token can only be used once. After that, a new accessToken efreshToken pair should be returned with a new expired time. Otherwise, this token has no meaning. And when the refreshToken expired, the client needs to log in again using the login\password

@deeplife9654 3 месяца назад

This is my exact thought after watching this. 😢

@nareshk2606 Год назад

You are doing a great job by sharing your knowledge.

@vino7tech Год назад

Thank you sir. Many Developers are learning more knowledge about spring boot by you only sir. Thank for Wonderful concept

@Javatechie Год назад

Thank you so much Vinoth. Keep learning 😃

@phanimc11211 Год назад

thanks for simple and clean explanation

@sujitkumar2196 Год назад

awesome video its a very helpful thanks you so much to make such a video.

@theparten День назад

Great tutorial man❤. I have 1 qn, wouldn't it be better to add refresh token mechanism in security filter chain so that the backend would automatically generate a new access and refresh token?. in this setup user will send both the accessToken and the refresh token per every request and the server will refresh the access token if it has expired using the refresh token(we can encrypt it). That way we remove the hassle of hitting another endpoint and the API consumer will have to hit one endpoint instead. what's your take on this approach. I'm open to suggestions and corrections. ..

@shubhajitmandal8615 7 месяцев назад

It's is a very good video... for completion of the security series please make a video on jwt logout please

@nirmesh44 Год назад

best explanation ever🙂

@premraj.m 2 месяца назад

g8 video @Basant, one small info JWT is an ID Token would be more precise instead of calling access token. Am I right?

@lamtran5585 Год назад

amazing good job em!

@alok9624 8 месяцев назад

Thank you sir , your video is very helpful. And a request to you , please make a detailed video to explain about keycloke and it use in production ready code

@sarojsahoo8763 Год назад

Can you also let us know how the flow of execution will be if the application is integrated with UI ex - Angular

@mohammadmutawe9783 10 месяцев назад

Thanks Basant, you always make a great videos. Could you please add an extra video to your spring security series where you use Spring Vault to store sensitive data like your jwt secret.. etc

@Javatechie 10 месяцев назад

I haven't done this but I'm sure i will add it. Thanks for your suggestion

@ivanpaulbay7206 Год назад

Thank you so much sir! I’ve followed your previous videos related to security and I am looking on how to add refresh token then you’ve just recently published video for refresh token 👏👍👍 Thanks sir!

@Javatechie Год назад

Keep learning Ivan 😊

@ravikumarpawar2406 Год назад

awesome video, excellent explanation, please use postman light theme

@ashokbantu1297 Год назад

Thanks for this Tutorials . Can u pls do OATH2 implementation video also

@monykeo317 6 месяцев назад

Great explanation

@hasanbinalam4051 8 месяцев назад

You explained the things very well. Thank you so much. But I have one thing to mention, refresh token expiry time should also be extended in the database for every successful refresh token request. Isn't it? If the user request for the new token before the expiry of the refresh token, new token will be given as well as the refresh token time should also be extended and updated in the database. Otherwise after some time the user needs to re-login when the refresh token is expired.

@Javatechie 8 месяцев назад

Yes we have done the same right. In case if I missed it then you are absolutely right here

@JavaDesiTech 22 дня назад

Thank you very much bro......

@ajaypardhe6594 Год назад

Sir , kya Eureka server and client deprecated ho chuki hai , spring initilizr par unsupported bata Raha hai 3.1.0 ke sath

@vinodhreddy6227 Год назад

Thanks, please cover roles in spring cloud example

@soujanyab8152 9 месяцев назад

@Javatechie great sessions about JWT. have 2 Qs 1. in real time, we should be giving the expiration date of token to be same as JWT expiry time, am I right? 2. from UI, when we get expired message from API call, UI have to make another call to /refreshToken with the token value, is my understanding correct?

@Javatechie 9 месяцев назад

Yes absolutely correct

@jatinsharma3792 3 месяца назад

@@Javatechie alway try to make a real picture otherwise understanding is easy but it you will take it other way it will waste so much time to think why you did that or that if your explaination is not exactly correct, right it is 4am

@ayushsingh2431 Год назад

Explanation is good! Can you please explain why we are expiring the "token" which is used to refresh the JWT Token? It seems to defeat the whole purpose, because although we are refreshing the jwt token, but when the "token" expires we will have to relogin again to obtain the new jwt token and the new "token."? Shouldn't be the case that the "token" must not expire and should be able to refresh the JWT token unless the user logs out? Here we are refreshing the JWT token but forcing user to re-login if another "token" expires.

@theparten День назад

that's the exact question i have after watching this comprehensive tutorial...

@manee427 10 месяцев назад

Great video. Can you please make a video for securing spring boot 3 apps along with react front end together with keyclcak. It would be greate video.

@user-uy3jd4xz6v 9 месяцев назад

can we work with refresh token without creating table refreshtoken in database ?

@ankitsh6557 Год назад

Thanks Basant. This is really helpful. Also can you make a video on implementating Authentication and authorization for Microservices using Istio service mesh? And if possible make use of any identity provider like azure.

@Javatechie Год назад

Service mesh i haven't used buddy so will explore and update

@user-it2cv5bu8b 9 месяцев назад

Thank you Basant, It was really informative video. Had a doubt on why could we not refresh token our self when we get a token expiration exception, rather than creating a table. The only way i could see we cannot do it is if jwt checks for expiration first and and then the whole token validity.

@Javatechie 9 месяцев назад

How can you compare without storing the token buddy?

@kfjustforfun4825 4 месяца назад

You explain good however i run localhost:8080 it shows error , did you put some front end in your project?

@Javatechie 4 месяца назад

No frontend and what error you are getting?

@Briefseverus 7 месяцев назад

Thankyou sir , incase i want to look for setting cors for spring security, what video i can find from you

@Javatechie 7 месяцев назад

Just add below pieces of code in your backend code @Bean public WebMvcConfigurer corsConfigurer() { return new WebMvcConfigurerAdapter() { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**").allowedMethods("GET", "POST", "PUT", "DELETE").allowedOrigins("*") .allowedHeaders("*"); } }; }

@nguyenhoanganh2k1 Год назад

pro, can you tell me in frontend where should we save refreshtoken to send to backend when we want to renew access token? thanks so much.

@lidiaz0 3 месяца назад

Hello! It can be stored in session

@vino7tech Год назад

Sir Can do post for Custom Oauth2 Video?

@nielvargas 8 месяцев назад

Greetings from Brazil.Thank you sir. Excelent didatic!

@raghuvardhansaripalli9636 Год назад

Hi Basant , I have a question. how to migrate the existing 2.x spring boot project to 3.x. Is there any tool or plugins which automatically fixescthecerrorscandvturn to 3.x

@Javatechie Год назад

No buddy no tools available so far you need to fix manually. Like security, batch , micrometre related changes

@raghuvardhansaripalli9636 Год назад

@@Javatechie ok thanks Basant

@inhtruongvu7618 7 месяцев назад

00:00 Implement refresh token mechanism in Springboot application secured with JWT 04:27 Implement refresh token to avoid re-authentication 08:46 Creating a refresh token entity and API 13:13 Creating a refresh token for JWT access token 17:30 Creating a refresh token endpoint 21:18 Methods to verify and retrieve tokens from DV 25:25 Regenerate token using refresh token 29:31 Implementing a refresh token mechanism to avoid re-authentication Crafted by Merlin AI.

@sarojsahoo8763 Год назад

I have one question Why do we need to generate random String along with accessToken instead of it Can we pass the user itself for whom token is expired , we can return a fresh token for the user in response.

@Javatechie Год назад

No that random token has an expired limit until that user can use that random string to renew a new token .

@yoogeshsharma2977 Год назад

The old expired token associated with the userInfo is not getting deleted even though we are deleting it before throwing a runtime exception. And it is not giving any error either. Is this happening to all? Went to db and checked and saw bunches of old expired tokens. I am pretty sure this is due to not detaching userInfo id (FK) from refreshtoken table. But how to detach it and remove old tokens?

@Javatechie Год назад

I am pretty sure and even verified It will delete

@yoogeshsharma2977 Год назад

@@Javatechie In most of the production code, i have seen @Transactional annotation at Dao layer. In the example here, since Service is acting as a dao layer, The problem starts occurring when i put @Transactional(propagation = Propagation.REQUIRED) at Service class. I have not been in too dip into @transactional annotation, but i am pretty sure you can hardly ignore this annotation in a production code. Update: By adding below annotation in a method will meanwhile solve the problem. But still not sure what the @transactional annotation was doing. Thanks !! @Transactional(transactionManager = "transactionManager", propagation = Propagation.NEVER)

@ajitulti4319 9 месяцев назад

Hi sir, thanks for your videos. Could you please suggest free cloud SQL data base like Nosql mongodb atlas. 😊

@mallikarjunhagargi7830 Месяц назад

Heyy Basant Please clarify one doubt Is the user required to refresh the token endpoints when the access token expired? Can't we refresh internally by calling that refresh token logic inside verifying claims? and allow the user to access resources seamlessly???

@Javatechie Месяц назад

Yes we can do that your frontend app needs to involve that api

@Code_With_Vicky Год назад

Please one concept of java as a webhooks how to implement and how it's work

@inhtruongvu7618 7 месяцев назад

00:00 Triển khai cơ chế mã thông báo làm mới trong ứng dụng Springboot được bảo mật bằng JWT 04:27 Triển khai mã thông báo làm mới để tránh xác thực lại 08:46 Tạo thực thể và API mã thông báo làm mới 13:13 Tạo mã thông báo làm mới cho mã thông báo truy cập JWT 17:30 Tạo điểm cuối mã thông báo làm mới 21:18 Phương pháp xác minh và truy xuất token từ DV 25:25 Tạo lại mã thông báo bằng mã thông báo làm mới 29:31 Triển khai cơ chế mã thông báo làm mới để tránh xác thực lại Crafted by Merlin AI.

@saikumardasari4220 Год назад

sir in springboot 3.1 their is lot of changes regarding microservice implementation once explain the 3.1 documentation thanks in advance

@Javatechie Год назад

Okay I will do that

@user-qc6lc6fu1r 10 месяцев назад

Hello Sir , Thank you for this excellent video ,I have a doubt sir , refresh token job is simply reduce the reaunthentication of user by providing a new JWT or access token when his token expires , right !! Is it soo then in our real world most of application is using refresh token , in this way whenever user auth token expires then with the help of refresh token they will re generate again and again , then they should never be get session out and logged out , they can access forever the endpoints , but they do get logged out because of token expiration , why sir ?

@Javatechie 10 месяцев назад

Yes correct let's say i generate refresh token whose expiration time is 10 min so I assumed i went out and came back and opened my system then definitely it will show logout as within 10 min i haven't refresh token

@user-qc6lc6fu1r 10 месяцев назад

@@Javatechie Sir then One FollowUp Question , Lets say I had created a jwt token which expires at 30mins , then what should be our refreshToken expiry time ? should this be more than of jwt token expiry time ??like 40mins 60mins like that ?? And Sir in ur impl for refresh token api whenevr you are generating new jwt token , you are not creating new refresh token same refreshtoken we are returning , lets say for 2nd time also our 3 mins jwt token expired but after just 5 mins of expiry i came again since 10min refresh token window is there and hit refresh token then it wont return me new jwt token , i have to go for login again , that's not correct approach right , since 10mins refresh token expiry is there , no matter how many times i go out and come but i m hitting refresh token within 10mins means , it should always generate new jwt token , if i exceeded 10mins and try to generate jwt token then only it should be throw error ,but within 10 mins if i m coming and hitting refresh token means it should always give , shouldnt expire na , please clear this doubt sir , I m considering this 3 mins 10mins expiry time for example.

@supriyaalapati7161 Год назад

i have tried the code getting the issue. refreshtoken.builder(). is thowring error saying The method builder() is undefined for the type RefreshToken. can u pls help how to resolve it. have added builder annotation in resfreshtoken entity.

@Javatechie Год назад

Please configure Lombok in your ide. That will solve your issue

@gnsc Год назад

You have to add annotation @Builder on your class.

@himankshah9275 11 месяцев назад

403 error in generting access token from token

@ishantbhatia3194 Год назад

Thnks

@sabyasachirajkumar2704 Месяц назад

@javatechie plz let me know in real-time project where do we store jwt token, how do we create secret key and where to store secret key and how to access it.

@devanandgalande3781 Месяц назад

In ui, you can store the token in session storage. And for the secret key, use spring vault or store in consul properties.

@jatinsharma3792 3 месяца назад

what is the point to set the exp time in refresh token then ??? if you have the exp time in jwt token

@devanandgalande3781 Месяц назад

If you don't then user don't have to login anytime and continue using the session for lifetime😂

@saravanakumars52 Год назад

Wrong github link is provided in the description. Can you provide the right one??

@Javatechie Год назад

Sorry for the inconveniences. Updated please check now

@jitenderyadav1308 Год назад

If anyone get my token (uuid id) then he/she can hit the refresh token api through my user id, how to secure it then ???

@Javatechie Год назад

First of all this needs to be integrated with the UI and in the UI there should be a button to refresh where this id will map behind the scene . Nothing will be visible to the user

@Koutuk13 10 месяцев назад

Hi Basnt, Thank you for sharing the knowledge and for the informative content. Can you please explain if the refresh token concept can be applied for communication between 2 microservices. Ideally how should the behavior be if one microservice API is trying to access other microservice API which is secured with JWT but the access token is expired? Thanks!

@Javatechie 10 месяцев назад

Hello buddy it seems you are misinterpreting microservice architecture no worries usually API gateway is the component who handles this security mechanism in microservice so even though internally you call one service from another that's absolutely fine . Your first api calls need to re authenticate if the token expires. Hope this clears your doubts . Do let me know if you need any further information

@Koutuk13 10 месяцев назад

@@Javatechie Thank you for clearing the doubt. 👍

@vineethchinna3951 Год назад

can you please make video on okta connecting to a mysql databse and use details from the sql database for authentication and authorization, instead of manually adding users in okta/keyclock which you added in your channel. please make a video there are no reference for that any where

@Javatechie Год назад

Okay sure

@vineethchinna3951 Год назад

@@Javatechie Thank you so much, you are very good at learning and teaching. you are really helping persons who dont get good projetcs but still want to learn.

@sarojsahoo8763 Год назад

So Once refresh token expires User has to login again by giving the credentials

@Javatechie Год назад

saroj . Yes exactly

@epilux-gm8zm 10 месяцев назад

As I know, it's not a good practice to send the role in the JWT. You should implement an ACL in backend based on username to validate the role. Btw, nice tutorial ! Good job!

@Javatechie 10 месяцев назад

ACL i am not aware about this buddy any reference please

@epilux-gm8zm 10 месяцев назад

@@Javatechie I was meaning (does not mean that I am right) that you should check in backend the role based on username. I didnt mean to be a jack a**, I know that this suppose to write more "unnecessary" code but this is my approach due to vulnerabilities that exist in the wild.

@epilux-gm8zm 10 месяцев назад

@@Javatechie Btw, you helped me a lot with the SpringBoot, your videos are veeerrrrry good. I was stuck with refresh token.

@sahilpatel2885 Год назад

Is there any way to expired JWT in logout API ?

@Javatechie Год назад

Yes you can update expiration time to 0

@sahilpatel2885 Год назад

@@Javatechie yaa got it. Thanks 👍

@user-cc6hc6xk1c 6 месяцев назад

after the token expired he will get 401 unauthorized error, not 403

@harrishpaul7374 Год назад

Product table is not created

@Javatechie Год назад

Check your application.properties file whether you configured hbm2.auto.ddl true or not

@harrishpaul7374 Год назад

@@Javatechie while fetching products details in postman api the products details nots came

@Javatechie Год назад

Are you able to store product in db

@saulitocastaneda915 5 месяцев назад

you are not serious, why are u using /login? You could argue that is not a REST Api. In that case, why are u using JWT?

@Javatechie 5 месяцев назад

What is your question ❓ i didn't get you man

@user-xb2dv2ew6j 2 месяца назад

What's your suggestions? Perform full authentication process on each request?

@user-qc6lc6fu1r 10 месяцев назад

kbk

@user-xb2dv2ew6j 2 месяца назад

как это слушать...

@KumarR-ps3be 11 месяцев назад

I successfully added JWT Token Generation and refresh token in spring 3. But after i add @EnableSwagger2 my project is not running bcoz of Jakarta. How to solve this. Can you please upload a video for spring 3 + JWT token + spring security with swagger