I’m using JWT to authenticate user in backend. User login using Auth0 Lock Sign In page, the frontend code gets the access token and store it in local storage. Any API request made from frontend will have this access token to accomplish the request. Since this access token will expire, we are planning to have a checkbox says keep me logged in
in Sign In
page, If user check this checkbox while login, we’ll use refresh token to get new access token before the old one expire.
How do I add checkbox in Sign In
page?
You need to be a bit more specific about your current usage; for example, Lock can be used in a centralized login approach (hosted login page) or embedded login approach (directly in your client application). The keep me logged in user interface would not make sense in the centralized login approach because at this time a session is already being established either way.
In addition to that the application you describe seems to fit the SPA paradigm as the browser-side code (frontend) is storing the token and then performing API calls. The use of refresh tokens is not adequate for SPA’s because storing refresh tokens (long-lived tokens) in a browser environment is not a good idea.
The approach to refresh tokens in a SPA is to leverage an authenticated session established at the identity provider (in this case your Auth0 account) and then request a new access token in a way that the user does not actively needs to authenticate (as long as the session is still valid). See:
https://auth0.com/docs/libraries/auth0js/v9#using-checksession-to-acquire-new-tokens