I'm trying to understand how to refresh the user session data in the JWT without forcing the user to login again. As a side note, I'm using a custom credentials provider and do not implement a User Auth Repository to allow refresh tokens. That's a big change to our structure - which we will be doing eventually.
So, JWT auth works currently, but when say a user role is updated, or company name changed, the JWT will contain the stale data. How can this be refreshed?
That’s what refresh tokens are for, you provide short-lived JWT tokens with long-lived Refresh Tokens. When the JWT Token expires the client has to fetch a new JWT Token using the refresh token.
But can it be done without somehow? It's going to be fairly complicated to change our structure to implement UserAuthRepository.
The entire point of JWT is that it’s stateless and encapsulates the User Session so it doesn’t require any I/O or DB access to validate.
Given it’s stateless, it effectively becomes stale the moment it’s created. Refresh Tokens is the solution for controlling the amount of time a JWT can be stale for.
In v5 we’ve added support for IUserSessionSource to provide an alternative source for creating Sessions embedded in JWT’s.
Otherwise if you want to avoid using Refresh Tokens all together don’t use any of the metadata in the JWT and just use the User Id to fetch their latest info when you need it.