JWT Access Token and Refresh methodology

Posted 2 years ago by etelford

I'm creating an API using Laravel 5.3 (and OAuth with Passport) and I'll have a other separate applications (likely also Laravel) that will act as a consumer of the API. For my purposes, I cannot build a frontend into the API.

On the consuming application side, I'll be using a password grant to allow a user to log in. So, the workflow is like this:

Consuming app

  1. User hits the login page
  2. Login submission sends the request to the API as a password grant request. I'll also store my client secret in the consuming app.


  1. API attempts to authorize the request
  2. A successful request sends back access_token, refresh_token, and an expiration.

Consuming app

  1. Store access_token, refresh_token, and an expiration in the session (server-side).
  2. Before each request from the consuming app to the API, check to see if the expiration has passed. If it hasn't, just use the access_token; If it has, use the refresh_token to request a new access_token.
  3. After a new access_token is issued, store that in the session and continue with the original request using this new access_token.

My questions are:

  1. Is this a reasonable method for what I'm trying to accomplish?
  2. Are there any security concerns that this particular method would cause that I should be aware of?

Thanks for any help/guidance you can give me.

By the way, I posted this on Stack Overflow here but I didn't receive any activity so I'm cross posting here.

Please sign in or create an account to participate in this conversation.