Is there any option in Tyk open source gateway(without dashboard) to set up refresh tokens when API is protected using JWT tokens
I know it is present for OAuth2 for creating new access tokens when the current access token expires.
I was thinking if a similar method is also present for JWT as well.
I don’t think we have an option like this.
When protecting your APIs with a JWT, the client obtained its access token from elsewhere. e.g. an OpenID Connect Authorization Server using the Authorization Code flow or similar.
Usually, when client authorizes, it requests a bunch of scopes - such as openid profile email offline_access. The offline access hints that we need a refresh token. And the OIDC server typically return 3 tokens.
id_token
access_token
refresh_token
the ID token contains information about the logged in user
The access token is what you need to use on the Gateway to access the API
The refresh token is used against the authorization server’s /token endpoint when the access token expires in order to receive a new / fresh access_token.
So in summary: as long as access_tokens are valid when they are being used to access APIs, Tyk is happy and will continue granting access. The Refresh Token logic has nothing to do with Tyk as it is between the client and the authorization server.