I have a project that includes a web application, a mobile app (Ionic 3) and a REST API module (on HTTPS).
My main concern is to implement a secure login and communication between them.
Bellow I detail the solution I choose and I want to ask if it is correct and secure.
Steps to follow:
-
on login in the app the server returns a JWT - Acces Token
-
when I call any function from API (except login) I will send the following parameters:
- inside header: JWT AccesToken (stored in local storage)
- inside body: any other param necessary to call the API’s functions
- inside every function from the REST API, before execution, I check if the Access token is valid.
Token validation:
a) if the Access token is valid I continue to execute the function and return a value to mobile app
b) if the Access token is NOT valid means I have 2 possible error sources:
- b1) the Access token integrity is compromise -> the returned answer redirect the user to login (this way he doesn’t have access anymore to app)
- b2) the Access token expired -> I create a new Access token with the same payload but with new validity. The same time I create the new Access token I also check the IdClient (IdClient is generated from Access Token payload) in DB (if is active, if has the same rights to access the API … ). After this I send this new JWT Access token to the mobile app to be used and stored.
This way, I believe I don’t have to use a Refresh token, even if the Access Token I used has a limited life period
Is this correct and secure or am I missing something?
Thanks a lot!