8

Implemented Django REST and authentication using JWT. For JWT token we have to refresh it before it expire. After expired JWT wont give new token.

For my mobile device I need to refresh the token every 10 mins (JWT_EXPIRATION_DELTA). and if user is not active for more than 10 minutes, then I need to ask to login. Is there any way that I can refresh the token even after JWT token expired. (we can limit the time to refresh as 2 day)

Whats the best way to handle this behavior in Mobile.

Thanks.

Karesh A
  • 1,731
  • 3
  • 22
  • 47

2 Answers2

13

Refreshing tokens in django-rest-framework-jwt

The django-rest-framework-jwt (v. 1.11.0) does not support "Refresh Tokens" as described for example here. It only supports refreshing non-expired tokens; It makes easy to implement a sliding expiration window with width of JWT_EXPIRATION_DELTA. For example, with settings

'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=300),
'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),

user cannot be inactive for more than five minutes in order to stay logged in (docs).

Real Refresh Tokens, please?

It is possible to implement the "Refresh Tokens", which are very long lived ("never expiring") tokens, stored in a database, just like in conventional "HTTP Sessions & SessionIDs". This is actually already been implemented for the django-rest-framework-jwt in django-rest-framework-jwt-refresh-token. Another possibility is to use django-rest-framework-simplejwt which also implements the JWT with Access and Refresh Tokens (full example at Medium).

But.. why?

Compared to using only Access Token JWT's, using Refresh Tokens makes possible to revoke access after the Access Token is expired. Refesh Tokens make it possible to have very long ("lifetime of a mobile device") lasting tokens. One may ask why shouldn't you just stick with sessions (sessionid in a Cookie, and session data in database table), if you are creating collection of Refresh Tokens in a database, and accessing that. Using an Access token with expiration time of one hour will mean that database must be accessed once per hour (instead once per PUT/POST request when using "traditional" sessions). In addition, you gain all the usual benefits of JWT tokens (ease of use in microservice network, for example).

Community
  • 1
  • 1
Niko Föhr
  • 28,336
  • 10
  • 93
  • 96
  • I am using simplejwt. I just wanted to know if there is any way to make the expiry time of refresh token infinite – coderDude Jan 06 '19 at 17:56
  • 2
    Of the three projects and as at June 2020 only https://github.com/davesque/django-rest-framework-simplejwt is actively maintained – söze Jun 28 '20 at 14:55
  • 2
    @söze yes. But, for now django-rest-framework-simplejwt also looking for maintainers https://github.com/SimpleJWT/django-rest-framework-simplejwt/issues/207 – aijogja Jul 05 '20 at 17:20
  • @coderDude in simplejwt you can set the lifetime of the refresh token in your settings.py like 'REFRESH_TOKEN_LIFETIME': timedelta(days=1000). – naheliegend Aug 19 '21 at 14:57
5

You can use refresh tokens, as defined in Oauth2.0

Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires,

After a successful login, issue a refresh and an access token. While a access token expires shortly, a refresh token is long lived. Store it securely, and use it to issue new access tokens when the current one expires

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Hi. Thanks. I got your point. How can we do in django-rest-framework-jwt. it gives only one token on user login. We need to two tokens for a login. ? http://getblimp.github.io/django-rest-framework-jwt/. Thanks – Karesh A Mar 02 '17 at 07:56
  • 1
    Seems the framework does not support 'refresh tokens' as I have answered. The token can be refreshed using the previous one, but it is not possible to issue a token only for get new access tokens. The alternative for your mobile device is issuing a JWT with greater expiration ~2 days (without considering using another framework) – pedrofb Mar 02 '17 at 08:27