I am using jwt tokens to authenticate with my backend. But its not as secure as oauth. Can anyone tell me a library that i can use oauth with refresh token support.
Why do you say this?
I believe web / hybrid apps can only use the Implicit Grant Flow, since the other OAuth2 flows would require distributing your client secret to all users (security issue). Unfortunately, “the implicit grant type […] does not support the issuance of refresh tokens.”
It’s extremely dangerous to make blanket statements saying one technology is better than another. In this case, the two complement each other.
You can have the user credentials OAuth flow return JWTs and refresh tokens. That’s about as good as you’re going to get on the client side (depends, but it’s simple to implement if you trust the client). The nice thing about this is the JWT can be independently verified with a short expiry time and the client can refresh it if necessary.
One thing you have to remember is, without any kind of protection storing tokens that can be used to authenticate a user on the client is always dangerous.
In the above example, the only way to protect the login tokens (JWT and refresh) would be to prompt the user for a password or pin (although you could get clever with fingerprints, NFC, etc) and use that to encrypt the tokens.
EDIT:. I should mention I’m implementing both the OAuth server and the client. The type of flow you use varies on the situation. But you can still use JWTs in most situations except implicit grant.