refresh token with jwt

Question

refresh token with jwt

pigay opened this issue a year ago · comments

Hi Miguel,

I'm puzzled with the token refresh procedure. If I understand correctly, to get a fresh access token, one can give the expired access token along with corresponding valid refresh token with a PUT request on /tokens endpoint.

From reading the code, both are verified with User.verify_refresh_token(refresh_token, access_token_jwt) which in turn triggers Token.from_jwt(access_token_jwt).

In the from_jwt method, you call jwt.decode()

However, the access token is expired, so jwt.decode should fail.

This means that you no longer can get a fresh access token as soon as your previous access token is expired.

Am I right?

Wouldn't it be better to call jwt.decode() with verify_exp=False in this case?

Pierre

Pierre Gay · Answer 1 · Thu May 18 2023 02:17:41 GMT+0800 (China Standard Time)

Oh, I just realized that you don't encode jwt with an exp claim. So jwt will always accept it...

Sorry for disturbing.

Pierre

Miguel Grinberg · Answer 2 · Thu May 18 2023 02:18:32 GMT+0800 (China Standard Time)

The access token JWT is not encoded with an expiration. The token expiration is tracked in the database. The JWT is only used to increase the security through the signature.

Pierre Gay · Answer 3 · Thu May 18 2023 02:20:32 GMT+0800 (China Standard Time)

Thanks for your quick answer ;)