I'm using Django REST framework JWT Auth for session creation and permissions, the only problem is: when I log in and after the token expires I can't continue doing the operation I want, unless I log in again. And I didn't fully understand the documentations provided for the additional settings. So can any one explain a method for dynamically creating (and refreshing) my token (following best practices) so that I can keep doing operations when I'm logged in. P.S: I'm using angular 2 for my front end, and I'm inserting the token in the Http requests headers. Thanks.

JWT token refresh is a little confusing, and i hope this explanation helps. <ul> <li>tokens have an <code>issued at</code> time (<code>iat</code> in the token)</li> <li>tokens have an <code>expiration date</code> (now() + 1 hour, for example)</li> <li>the token can't be changed. server can only issue a new one</li> <li> <code>iat</code> never changes, but <code>expires</code> does change with each refresh</li> </ul> When you want to extend a token, this is what happens: <ul> <li>You send your <code>token</code> to the server endpoint <code>/.../refresh/</code> </li> <li>Server checks its not expired: <code>now() <= token.iat + JWT_REFRESH_EXPIRATION_DELTA</code> </li> <li> If not expired: <ul> <li>Issue a NEW token (returned in the json body, same as login)</li> <li>New Token is valid for <code>now() + JWT_EXPIRATION_DELTA</code> </li> <li>The <code>issued at</code> value in the token does not change </li> <li>App now has 2 tokens (technically). </li> <li>App discards the old token and starts sending the new one</li> </ul> </li> <li> If expired: return error message and 400 status </li> </ul> <h3>Example</h3> You have <code>EXPIRATION=1 hour</code>, and a <code>REFRESH_DELTA=2 days</code>. When you login you get a token that says "created-at: Jun-02-6pm". You can refresh this token (or any created from it by refreshing) for 2 days. This means, for this login, the longest you can use a token without re-logging-in, is 2 days and 1 hour. You could refresh it every 1 second, but after 2 days exactly the server would stop allowing the refresh, leaving you with a final token valid for 1 hour. (head hurts). <h3>Settings</h3> You have to enable this feature in the backend in the <code>JWT_AUTH</code> settings in your django settings file. I believe that it is off by default. Here are the settings I use: <pre class="prettyprint"><code>JWT_AUTH = { # how long the original token is valid for 'JWT_EXPIRATION_DELTA': datetime.timedelta(days=2), # allow refreshing of tokens 'JWT_ALLOW_REFRESH': True, # this is the maximum time AFTER the token was issued that # it can be refreshed. exprired tokens can't be refreshed. 'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7), } </code></pre> Then you can call the JWT refresh view, passing in your token in the body (as json) and getting back a new token. Details are in the docs at http://getblimp.github.io/django-rest-framework-jwt/#refresh-token <pre class="prettyprint"><code>$ http post localhost:8000/auth/jwt/refresh/ --json token=$TOKEN </code></pre> Which returns: <pre class="prettyprint"><code>HTTP 200 { "token": "new jwt token value" } </code></pre>

Django Rest Framework JWT: How to change the token expiration time when logged in

Tags:

angularjs

django

token

jwt

django-rest-framework

I'm using Django REST framework JWT Auth for session creation and permissions, the only problem is: when I log in and after the token expires I can't continue doing the operation I want, unless I log in again. And I didn't fully understand the documentations provided for the additional settings.

So can any one explain a method for dynamically creating (and refreshing) my token (following best practices) so that I can keep doing operations when I'm logged in.

P.S: I'm using angular 2 for my front end, and I'm inserting the token in the Http requests headers. Thanks.

990

asked May 04 '17 10:05

Ch_y

2 Answers

JWT token refresh is a little confusing, and i hope this explanation helps.

tokens have an issued at time (iat in the token)
tokens have an expiration date (now() + 1 hour, for example)
the token can't be changed. server can only issue a new one
iat never changes, but expires does change with each refresh

When you want to extend a token, this is what happens:

You send your token to the server endpoint /.../refresh/
Server checks its not expired: now() <= token.iat + JWT_REFRESH_EXPIRATION_DELTA
If not expired:
- Issue a NEW token (returned in the json body, same as login)
- New Token is valid for now() + JWT_EXPIRATION_DELTA
- The issued at value in the token does not change
- App now has 2 tokens (technically).
- App discards the old token and starts sending the new one
If expired: return error message and 400 status

Example

You have EXPIRATION=1 hour, and a REFRESH_DELTA=2 days. When you login you get a token that says "created-at: Jun-02-6pm". You can refresh this token (or any created from it by refreshing) for 2 days. This means, for this login, the longest you can use a token without re-logging-in, is 2 days and 1 hour. You could refresh it every 1 second, but after 2 days exactly the server would stop allowing the refresh, leaving you with a final token valid for 1 hour. (head hurts).

Settings

You have to enable this feature in the backend in the JWT_AUTH settings in your django settings file. I believe that it is off by default. Here are the settings I use:

JWT_AUTH = {
    # how long the original token is valid for
    'JWT_EXPIRATION_DELTA': datetime.timedelta(days=2),

    # allow refreshing of tokens
    'JWT_ALLOW_REFRESH': True,

    # this is the maximum time AFTER the token was issued that
    # it can be refreshed.  exprired tokens can't be refreshed.
    'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),
}

Then you can call the JWT refresh view, passing in your token in the body (as json) and getting back a new token. Details are in the docs at http://getblimp.github.io/django-rest-framework-jwt/#refresh-token

$ http post localhost:8000/auth/jwt/refresh/ --json token=$TOKEN

Which returns:

HTTP 200 
{
    "token": "new jwt token value" 
}

answered Sep 17 '22 07:09

Andrew

I've had same problem in angularjs and I've solved it by writing a custom interceptor service for my authentication headers.

Here's my code:

function($http, $q, store, jwtHelper) {
    let cache = {};
    return {
      getHeader() {
        if (cache.access_token && !jwtHelper.isTokenExpired(cache.access_token)) {

          return $q.when({ 'Authorization': 'Token ' + cache.access_token });

        } else {
          cache.access_token = store.get('token');
          if (cache.access_token && !jwtHelper.isTokenExpired(cache.access_token)) {

            return $q.when({ 'Authorization': 'Token ' + cache.access_token });

          } else {
            return $http.post(localhost + 'api-token-refresh/',{'token': cache.access_token})
            .then(response => {
              store.set('token', response.data.token);
              cache.access_token = response.data.token;
              console.log('access_token', cache.access_token);
              return {'Authorization': 'Token ' + cache.access_token};

            },
            err => {
              console.log('Error Refreshing token ',err);
            }
          );
          }
        }
      }
    };


  }

Here, on every request I've had to send, the function checks whether the token is expired or not. If its expired, then a post request is sent to the "api-token-refresh" in order to retrieve the new refreshed token, prior to the current request. If not, the nothing's changed.

But, you have to explicitly call the function getHeader() prior to the request to avoid circular dependency problem.

This chain of requests can be written into a function like this,

someResource() {
return someService.getHeader().then(authHeader => { 
return $http.get(someUrl, {headers: authHeader});

}); }