Proposed solution Personally, this is how I’d approach it…user authenticates, issued with access token with a short expiry (say 15 mins) and a refresh token valid either for a much longer period or indefinitely. Store a record of this refresh token in a db.
Whenever the user is ‘active’, issue a new auth token each time (valid for 15 mins each time). If the user is not active for over 15 minutes and then makes a request (so uses an expired jwt), check the validity of the refresh token. If it’s valid (including db check) then issue a new auth token.
If a user ‘logs out’ either on a device or through a website then destroy both access refresh tokens client side and importantly revoke the validity of the refresh token used. If a user changes their password on any device, then revoke all their refresh tokens forcing them to log in again as soon as their access token expires. This does leave a ‘window of uncertainty’ but that’s unavoidable without hitting a db every time.
Using this approach also opens up the possibility of users being able to ‘revoke’ access to specific devices if required as seen with many major web apps.