Remain authenticated in a mobile application

Question

I am working on an Ionic mobile app and have a django backend. We currently use JWT authentication in order to access the django backend (multiple applications use this backend including a react frontend). So the current auth method needs to stay in tact.

Now that we are working on an app we want the user to stay logged in after entering his credentials once on the app. I've been researching a good way to do this all day but can't seem to find a clear answer.

What is the best option to keep the user authenticated? Should I set a high expiration on the refresh token? (Not sure if that is secure..)

Should I use session auth? I found it that Django mostly supports this on services on the same domain. Seems like you have to relax quite a few security settings which doesn't seem to be the right solution.

I am not sure where to go from here. Do you guys have any suggestions?

Answer 1

I have not tried using ionic but generally what you want to do is to use a HTTP Client on you application which has an interceptor that will be watching for response with 401 Unauthorized response and you can check if the Authorization Header used was of the JWT if so, the HTTP client could send a request to your jwt refresh point with the refresh token and can re-update the jwt access token on the moble application and retry the request again.

You could store the JWT refresh token on the users device.