Single JWT as authentication and refresh token
I'm implementing an authentication mechanism using JWT tokens and exploring best practices for securely storing these tokens on the client side.
My JWT includes a jti claim populated with random bytes to ensure the claims are not easily guessable.
I'm considering storing the JWT payload in an HTTP-only cookie and the signature in localStorage. Is this approach recommended for enhancing security, or are there better alternatives?
For the refresh token mechanism, I'm contemplating using the signature part of the JWT as an opaque token saved in the database. To refresh the token, a client would need to provide both the expired token and its signature, which is then verified against the database entry.
I've seen discussions on token splitting but my question extends to the use of refresh tokens specifically. I'm considering generating a new opaque token for the refresh mechanism, but I'm unsure if this offers any significant advantage over using the JWT signature directly.
By using a single JWT in this manner, it would serve dual purposes: authentication and token refreshing. Is this a secure and efficient approach, or should I consider alternative strategies?