Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Is it possible to add an expiration date to the refresh token? #66
I'm a (very) beginner to the JWT auth mechanism. I use sanic and sanic-jwt. It works very well, thanks!
I read some stuff about the refresh token and other Python implementations, e.g. flask-jwt-extended and I think it's a good idea to have an expiration date for the refresh token (longer than the access token of course).
Thanks. Best regards,
@garaud Welcome to the wonderful world of authentication!
Take a look at #34
There is an example in there about how this sort of functionality might work once v 1.0 is rolled out (hopefully in a week or two).
In general, I am somewhat opposed to baking this logic into the token itself. Why? Well, the developer is given a lot of control over the refresh tokens since they are responsible for storing them somewhere, and then providing that stored copy back to the application when it needs it to verify that a user is passing the correct refresh token.
Therefore, this something that the application layer could handle itself.
async def retrieve_refresh_token(request, *args, **kwargs): refresh_token_from_storage = do_something() if refresh_token_from_storage.is_too_old(): return None return refresh_token_from_storage initialize(app, retrieve_refresh_token=my_retrieve_refresh_token)
Perhaps I am wrong on this one. You are the second person to ask for something like this. Maybe in the future we will add an option to return a self-expiring refresh token.
For now, however, I leave you with two options:
Let me know if you have any other thoughts. For now, I am closing the issue since this is not on the current radar.
Adding: @garaud as an out-of-the-box solution, the refresh token generation by