Login/Register
Django REST JWT Refresh
Asked Answered
Solved django-rest-frameworkjwtdjango-rest-framework-jwt
D

2

8

Implemented Django REST and authentication using JWT. For JWT token we have to refresh it before it expire. After expired JWT wont give new token.

For my mobile device I need to refresh the token every 10 mins (JWT_EXPIRATION_DELTA). and if user is not active for more than 10 minutes, then I need to ask to login. Is there any way that I can refresh the token even after JWT token expired. (we can limit the time to refresh as 2 day)

Whats the best way to handle this behavior in Mobile.

Thanks.

Dingess answered 2/3, 2017 at 5:34 Comment(0)
S
5

You can use refresh tokens, as defined in Oauth2.0

Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires,

After a successful login, issue a refresh and an access token. While a access token expires shortly, a refresh token is long lived. Store it securely, and use it to issue new access tokens when the current one expires

Substitute answered 2/3, 2017 at 7:40 Comment(2)
Hi. Thanks. I got your point. How can we do in django-rest-framework-jwt. it gives only one token on user login. We need to two tokens for a login. ? getblimp.github.io/django-rest-framework-jwt. ThanksDingess
Seems the framework does not support 'refresh tokens' as I have answered. The token can be refreshed using the previous one, but it is not possible to issue a token only for get new access tokens. The alternative for your mobile device is issuing a JWT with greater expiration ~2 days (without considering using another framework)Substitute
B
13

Refreshing tokens in django-rest-framework-jwt

The django-rest-framework-jwt (v. 1.11.0) does not support "Refresh Tokens" as described for example here. It only supports refreshing non-expired tokens; It makes easy to implement a sliding expiration window with width of JWT_EXPIRATION_DELTA. For example, with settings

'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=300),
'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),

user cannot be inactive for more than five minutes in order to stay logged in (docs).

Real Refresh Tokens, please?

It is possible to implement the "Refresh Tokens", which are very long lived ("never expiring") tokens, stored in a database, just like in conventional "HTTP Sessions & SessionIDs". This is actually already been implemented for the django-rest-framework-jwt in django-rest-framework-jwt-refresh-token. Another possibility is to use django-rest-framework-simplejwt which also implements the JWT with Access and Refresh Tokens (full example at Medium).

But.. why?

Compared to using only Access Token JWT's, using Refresh Tokens makes possible to revoke access after the Access Token is expired. Refesh Tokens make it possible to have very long ("lifetime of a mobile device") lasting tokens. One may ask why shouldn't you just stick with sessions (sessionid in a Cookie, and session data in database table), if you are creating collection of Refresh Tokens in a database, and accessing that. Using an Access token with expiration time of one hour will mean that database must be accessed once per hour (instead once per PUT/POST request when using "traditional" sessions). In addition, you gain all the usual benefits of JWT tokens (ease of use in microservice network, for example).

Babette answered 26/11, 2017 at 21:9 Comment(4)
I am using simplejwt. I just wanted to know if there is any way to make the expiry time of refresh token infiniteThreshold
Of the three projects and as at June 2020 only github.com/davesque/django-rest-framework-simplejwt is actively maintainedRotifer
@söze yes. But, for now django-rest-framework-simplejwt also looking for maintainers github.com/SimpleJWT/django-rest-framework-simplejwt/issues/207Vanesavanessa
@Threshold in simplejwt you can set the lifetime of the refresh token in your settings.py like 'REFRESH_TOKEN_LIFETIME': timedelta(days=1000).Whiten
S
5

You can use refresh tokens, as defined in Oauth2.0

Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires,

After a successful login, issue a refresh and an access token. While a access token expires shortly, a refresh token is long lived. Store it securely, and use it to issue new access tokens when the current one expires

Substitute answered 2/3, 2017 at 7:40 Comment(2)
Hi. Thanks. I got your point. How can we do in django-rest-framework-jwt. it gives only one token on user login. We need to two tokens for a login. ? getblimp.github.io/django-rest-framework-jwt. ThanksDingess
Seems the framework does not support 'refresh tokens' as I have answered. The token can be refreshed using the previous one, but it is not possible to issue a token only for get new access tokens. The alternative for your mobile device is issuing a JWT with greater expiration ~2 days (without considering using another framework)Substitute

© 2022 - 2024 — McMap. All rights reserved.