Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to generate - access token vs refresh token

See original GitHub issue

Hey,

I have a problem in understanding on how to generate properly access token and refresh token. According to the docs there is a concept of both due to JWT_REFRESH_EXPIRATION_DELTA and JWT_EXPIRATION_DELTA configuration variables, but in the source files I’ve seen only single method for generating a token which is https://github.com/flavors/django-graphql-jwt/blob/master/graphql_jwt/shortcuts.py#L4

The flow which I would like to follow is:

  1. User sign-up/sign-in to the app
  2. User receives two tokens: access_token (valid for 5 minutes) and refresh_token (valid for 7 days)
  3. The access_token is used to communicate frontend app with the backend API
  4. The refresh_token is used to regenerate the access_token in intervals, so it would be valid during using the app in longer session

Is it correct approach to such scenario?

access_token = get_token(user)
refresh_token = get_token(user, exp=datetime.utcnow() + settings.JWT_REFRESH_EXPIRATION_DELTA)

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
googol7commented, Aug 23, 2018

What happens if I don’t call refreshToken after JWT_EXPIRATION_DELTA=minutes=5 but within JWT_REFRESH_EXPIRATION_DELTA=days=7? Will verifyToken(t) return false if JWT_VERIFY_EXPIRATION=true but refreshToken will return a new valid token? Or does JWT_VERIFY_EXPIRATION need to be turned off in order to refresh an expired token?

1reaction
tunarobcommented, Mar 31, 2018

1 question to this great explanation. How to keep the user logged in “forever” then? Well, forever as long as he keeps rehreshing within allowed JWT_EXPIRATION_DELTA time span (as I understand I’d refresh triggered after the time of 5 minutes in this case, token gets invalidated?)

I could set JWT_REFRESH_EXPIRATION_DELTA to be like 30 days but it’s still not forever.

Read more comments on GitHub >

github_iconTop Results From Across the Web

What Are Refresh Tokens and How to Use Them Securely
Once they expire, client applications can use a refresh token to "refresh" the access token. That is, a refresh token is a credential...
Read more >
Solved: Difference between Refresh token and Access token
Refresh Token, A credential that a client uses to obtain new access tokens without requiring additional user authorization.
Read more >
Why Does OAuth v2 Have Both Access and Refresh Tokens?
The lifetime of a refresh token is up to the (AS) authorization server — they can expire, be revoked, etc. The difference between...
Read more >
Authentication and Authorization: Refresh Tokens - OCLC
Refresh Token are typically longer lived than Access Tokens and used to request a new Access Token without forcing user authentication. Unlike ...
Read more >
What Are Refresh Tokens and How Can They Boost Your ...
Normally, a user with an access token can only access protected resources or perform specific actions for a set period of time, which...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Authentication/Authorization for default resolvers

Next page

Implementation Example?