Auth tokens

I am using jwt tokens to authenticate with my backend. But its not as secure as oauth. Can anyone tell me a library that i can use oauth with refresh token support.

Why do you say this?

I believe web / hybrid apps can only use the Implicit Grant Flow, since the other OAuth2 flows would require distributing your client secret to all users (security issue). Unfortunately, “the implicit grant type […] does not support the issuance of refresh tokens.”

https://tools.ietf.org/html/rfc6749#page-31

I’m working on an app to directly consume Google APIs, so I’ve encountered this issue. I’m using pure JavaScript for auth though, no libraries and no servers. I’m doing a pseudo-refresh by setting a 3600-second (max allowed token life) timeout on successful auth before automatically re-authorizing and getting a new (different) token. It’s kind of an ugly hack, but it works, more or less. If users remain logged into the OAuth provider and have only one account it is a quick double redirect hourly. It’s barely noticeable, but has the potential to interrupt their work. So I’ll have to add a graceful warning and/or allow users to manually get a new token before the current one expires.

It’s extremely dangerous to make blanket statements saying one technology is better than another. In this case, the two complement each other.

You can have the user credentials OAuth flow return JWTs and refresh tokens. That’s about as good as you’re going to get on the client side (depends, but it’s simple to implement if you trust the client). The nice thing about this is the JWT can be independently verified with a short expiry time and the client can refresh it if necessary.

One thing you have to remember is, without any kind of protection storing tokens that can be used to authenticate a user on the client is always dangerous.

In the above example, the only way to protect the login tokens (JWT and refresh) would be to prompt the user for a password or pin (although you could get clever with fingerprints, NFC, etc) and use that to encrypt the tokens.

EDIT:. I should mention I’m implementing both the OAuth server and the client. The type of flow you use varies on the situation. But you can still use JWTs in most situations except implicit grant.