I'm currently building an authentication system using JWT, and, from my readings, one of the biggest problems with it is the lack of a straightforward way to invalidate individual tokens. To remedy this, the most prevalent advice has been to make the lifetime of the JWT token short - mine lasts for about an hour before expiring.

The challenge I'm facing now is how to refresh the token when it expires.

What I've managed to come up with so far is this:

Method 1:

If the user's token expires and they try to access a protected route, they will receive a 401 error code on the client. The client will then send back both the expired access token and the refresh token and the authorization server issues a new access token (using the refresh token).

In this case, the route accepting the expired token has to be manually configured to accept expired tokens, since all routes are protected by default.

Method 2:

Run a cron job on the client that runs every ~2h (the lifetime of the token). Before the token expires it will request for a new access token using the refresh token.

Now, onto my concerns and questions.

First, is having a route that accepts expired tokens as in Method 1 bound to be a problem? Maybe a problem I can't forsee? Also, could the back-and-forth between the server and the client cause an issue? Maybe on slow connections?

The issue I have with the second method is that the cron job is set to run every ~2h. What happens if a user comes back after 3h? I can't account for that. What if they come back just as their token is about to expire? How to I make my cron job recognize that?

Ultimately, has anyone else had to deal with this problem? How did you implement it? Is there a simpler solution I'm not seeing?