Single token refresh vs Long running refresh tokens (Django GraphQL JWT)

Question

I used both "Single token refresh" mode and "Long running refresh tokens" mode.

"Single token refresh" mode:

GRAPHQL_JWT = {
    "JWT_VERIFY_EXPIRATION": True,
    "JWT_EXPIRATION_DELTA": timedelta(minutes=5),
    "JWT_REFRESH_EXPIRATION_DELTA": timedelta(days=7),
}

"Long running refresh tokens" mode:

GRAPHQL_JWT = {
    "JWT_VERIFY_EXPIRATION": True,
    "JWT_LONG_RUNNING_REFRESH_TOKEN": True, // This code is added.
    "JWT_EXPIRATION_DELTA": timedelta(minutes=5),
    "JWT_REFRESH_EXPIRATION_DELTA": timedelta(days=7),
}

But I couldn't get a refresh token in "Single token refresh" mode running this graphql below:

mutation {
  tokenAuth(username: "admin", password: "admin") {
    token
    payload
    refreshExpiresIn
    refreshToken // Here
  }
}

Then, I got this error:

{
  "errors": [
    {
      "message": "Cannot query field \"refreshToken\" on type \"ObtainJSONWebToken\". Did you mean \"refreshExpiresIn\"?",
      "locations": [
        {
          "line": 20,
          "column": 5
        }
      ]
    }
  ]
}

Then, I removed "refreshToken" field and ran this graphql:

mutation {
  tokenAuth(username: "admin", password: "admin") {
    token
    payload
    refreshExpiresIn
    # refreshToken
  }
}

Then, I could get this result without error but I still couldn't get a refresh token:

{
  "data": {
    "tokenAuth": {
      "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjQ3MDk2MTExLCJvcmlnSWF0IjoxNjQ3MDk1ODExfQ.5AY0HGqqmy3KwW1Gb_DFO99hIvJJh_AEngRH7hSe4DM",
      "payload": {
        "username": "admin",
        "exp": 1647096111,
        "origIat": 1647095811
      },
      "refreshExpiresIn": 1647700611
    }
  }
}

Next, when I ran this graphql with "refreshToken" field in "Long running refresh tokens" mode:

mutation {
  tokenAuth(username: "admin", password: "admin") {
    token
    payload
    refreshExpiresIn
    refreshToken // Here
  }
}

I could get a refresh token successfully:

{
  "data": {
    "tokenAuth": {
      "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjQ3MDk1ODg0LCJvcmlnSWF0IjoxNjQ3MDk1NTg0fQ.MOfdeD4P8SNNtCu3cm83qchqZr2aMo_ToWx_NchFiuE",
      "payload": {
        "username": "admin",
        "exp": 1647095884,
        "origIat": 1647095584
      },
      "refreshExpiresIn": 1647700384,
      "refreshToken": "9f82f2044942bdce8501c8caf026f93765ee7289" // Here
    }
  }
}

As long as I know, for JWT, normally there are 2 tokens Access token and Refresh token but why couldn't I get a refresh token in "Single token refresh" mode? Additionally, what is the difference between "Single token refresh" mode and "Long running refresh tokens" mode?

score 0 · Answer 1 · answered Mar 12 '22 at 16:42

As the name suggests, in "Single token refresh" mode, you can get only one Single token and Single token is the combination token of Access token and Refresh token so Single token has 2 functions of both Access token and Refresh token so with only one Single token, you can do 2 things "access resources(Access token function)" and "refresh Single token(Refresh token function)". You cannot get an access token and a refresh token separately in "Single token refresh" mode. That's why you couldn't get a refresh token in "Single token refresh" mode.

In "Long running refresh tokens" mode, you can get both Access token and Refresh token separately which is what you expect and want. In "Long running refresh tokens" mode, you can do more settings such as Per-cookie, Unlimited refresh, One time only use refresh token and Clear refresh tokens.

Single token refresh vs Long running refresh tokens (Django GraphQL JWT)

1 Answers1