New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Thoughts on how to refresh #52

Closed
ahopkins opened this Issue Feb 1, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@ahopkins
Copy link
Owner

ahopkins commented Feb 1, 2018

Right now, you are required to send the access token and the refresh token.

Why? Well, it seems like a good idea to facilitate the lookup of refresh tokens by knowing against which user you are trying to look up. It seems like another layer (albeit thin) of security. The alternative is to lookup the user by refresh token alone.

In the current operation, there is NO verification of the JWT at this stage while refreshing, it is used ONLY to pass the payload and get the intended user_id.

I think this is probably the best method, but I am open to thoughts on whether this should change. Perhaps it could be configurable.

@vltr

This comment has been minimized.

Copy link
Collaborator

vltr commented Feb 1, 2018

I think this is a good approach to tighten up security (by cross-reference the expired token payload and the refresh token given), but this can be optional to the refresh token methods implementation (adding all required arguments to make this work to retrieve_refresh_token (most probably) and / or store_refresh_token).

@ahopkins ahopkins closed this Feb 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment