Expiring Refresh Tokens

Question

Expiring Refresh Tokens

KyleAsaff opened this issue 4 years ago · comments

Is there a way to implement expiring refresh tokens? From the docs, it looks like refresh tokens are valid forever unless explicitly blacklisted (and therefore have to enable blacklisting)?

Most JWT implementations I have seen have a short expiry (eg 1 day) for the access token and a long-lived expiry (eg 200 days) for the refresh token.

This doesn't seem to be an option with this gem, unfortunately, unless I am missing something? Are there any solutions to cover the use case of implementing an expiring refresh token?

Gokul Murali · Answer 1 · Tue Dec 22 2020 17:39:32 GMT+0800 (China Standard Time)

@KyleAsaff Currently, there is no way to expire a refresh token. But, this option looks like a must needed one 👍

And, the main purpose of blacklisting in this gem is to prevent logged out token from accessing the API until the expiration.

I will try to add this expiry option for refresh tokens in a few weeks. Thanks for bringing this.

Kyle Asaff · Answer 2 · Tue Dec 22 2020 20:56:15 GMT+0800 (China Standard Time)

@KyleAsaff Currently, there is no way to expire a refresh token. But, this option looks like a must needed one 👍

And, the main purpose of blacklisting in this gem is to prevent logged out token from accessing the API until the expiration.

I will try to add this expiry option for refresh tokens in a few weeks. Thanks for bringing this.

awesome! thank you, that would be amazing. I am building my new API on top of this gem and would love the refresh token expiry option to allow for a more secure API.

S K Y · Answer 3 · Wed Jan 13 2021 11:59:41 GMT+0800 (China Standard Time)

I'm starting my first rails project with this token, its pretty good but also was thinking about that feature. Hope to see it soon!

Kyle Asaff · Answer 4 · Mon Jul 12 2021 04:24:24 GMT+0800 (China Standard Time)

@Gokul595 any updates here 🙂? I have been holding off using this gem in my production app until it's implemented

Gokul Murali · Answer 5 · Mon Jul 12 2021 13:11:06 GMT+0800 (China Standard Time)

@KyleAsaff Sorry, couldn't work on this due to some reasons. I will try to make it available in one or two weeks.

Kyle Asaff · Answer 6 · Mon Jul 12 2021 23:09:14 GMT+0800 (China Standard Time)

@Gokul595 that would be amazing!! thank you so much

Kyle Asaff · Answer 7 · Sat Dec 18 2021 09:12:51 GMT+0800 (China Standard Time)

Any updates here? I see there's a PR from @rcarter currently open.

Gokul Murali · Answer 8 · Tue Mar 22 2022 02:19:56 GMT+0800 (China Standard Time)

@KyleAsaff @xxSkyy This is done. Please upgrade to the latest version 0.6.0 and add a migration to add expire_at column in refresh token table.

Thanks for waiting and thanks to @rcarter for getting this done.

S K Y · Answer 9 · Tue Mar 22 2022 05:28:43 GMT+0800 (China Standard Time)

@KyleAsaff @xxSkyy This is done. Please upgrade to the latest version 0.6.0 and add a migration to add expire_at column in refresh token table.

Thanks for waiting and thanks to @rcarter for getting this done.

That's great! I'll test it when I'll come back to some RoR project!