-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove issued at from persistant claims #200
Conversation
why? |
Because a token cannot be extended beyond the Refresh TTL. After a refresh, the new token retains the IAT of the very first token. This means that after the expiry of the Refresh TTL of the first generated token, the user still has to log in again. |
@@ -181,7 +181,7 @@ protected function buildRefreshClaims(Payload $payload) | |||
$persistentClaims, | |||
[ | |||
'sub' => $payload['sub'], | |||
'iat' => $payload['iat'], | |||
// 'iat' => $payload['iat'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For backwards compatibility, iat
should be included in the persistent_claims
config and marked as Breaking Change accordingly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jansgescheit one question: can we add the iat
in $persistentClaims
conditionally if it exists on payload
?
In that way, it'll not crash if someone wants to use a custom one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For my understanding, the iat
is always included in the payload. Therefore, not much will be achieved here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we cannot just remove it right? On that case should be additionally added with a if
condition if for some reason the user doesn't want to have it in persist claims.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would make sense to avoid a breaking change. Perhaps via a configuration switch with a denylist for filtering
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, so let's add the if to it for that we can merge it.
Thanks
Okay, I see in the JWT specs that this is how the refresh TTL is supposed to work. |
I don't really follow why it would cause the user to have to log in again, we use this package without that problem. If you wanted a custom set of claims, you can do that too already? |
The problem is, that after the refresh the new token get's the Example: TTL = 60min
|
Here is another article which also addresses the problem in this package |
Thanks, everyone for contributing, I've tested here and so far I have got any issues, we're good to merge this update? Thanks. |
@eschricker what are your thoughts about that? |
@ashvin27 can you do the requested changes in the comments? |
Remove iat(IssuedAt) from persistant claim to resolve refresh token expiration issue
Description
Checklist:
CHANGELOG.md