New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is it possible to add an expiration date to the refresh token? #66

Closed
garaud opened this Issue Feb 21, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@garaud
Copy link

garaud commented Feb 21, 2018

Hi,

I'm a (very) beginner to the JWT auth mechanism. I use sanic and sanic-jwt. It works very well, thanks!

I read some stuff about the refresh token and other Python implementations, e.g. flask-jwt-extended and I think it's a good idea to have an expiration date for the refresh token (longer than the access token of course).

  • Is it a way to do that with the current code?
  • Can it be a new feature? Add a configuration option, check the date when refreshing, ...

Thanks. Best regards,
Damien G

@ahopkins

This comment has been minimized.

Copy link
Owner

ahopkins commented Feb 21, 2018

@garaud Welcome to the wonderful world of authentication!

Take a look at #34

There is an example in there about how this sort of functionality might work once v 1.0 is rolled out (hopefully in a week or two).

In general, I am somewhat opposed to baking this logic into the token itself. Why? Well, the developer is given a lot of control over the refresh tokens since they are responsible for storing them somewhere, and then providing that stored copy back to the application when it needs it to verify that a user is passing the correct refresh token.

Therefore, this something that the application layer could handle itself.

async def retrieve_refresh_token(request, *args, **kwargs):
    refresh_token_from_storage = do_something()
    if refresh_token_from_storage.is_too_old():
        return None
    return refresh_token_from_storage
initialize(app, retrieve_refresh_token=my_retrieve_refresh_token)

Perhaps I am wrong on this one. You are the second person to ask for something like this. Maybe in the future we will add an option to return a self-expiring refresh token.

For now, however, I leave you with two options:

  1. Handle the expiration at the application layer using retrieve_refresh_token
  2. Override the get_refresh_token by subclassing the Authentication class (on v 1.0), and run the check inside retrieve_refresh_token

Let me know if you have any other thoughts. For now, I am closing the issue since this is not on the current radar.

@ahopkins ahopkins closed this Feb 21, 2018

@vltr

This comment has been minimized.

Copy link
Collaborator

vltr commented Feb 21, 2018

Adding: @garaud as an out-of-the-box solution, the refresh token generation by sanic_jwt is good enough to add some basic logic within retrieve_refresh_token. My application itself, using Redis as the storage backend, adds a TTL to the refresh_token storage and will return None when it has expired (using the method store_refresh_token). But, when version 1.0 comes out, you can follow the instructions provided by @ahopkins in #34 where you will be able to create your own refresh tokens, ex. using the same mechanisms used to create access tokens, using jwt, etc 😉

@vltr vltr referenced this issue Feb 21, 2018

Closed

Add hooks #67

@garaud

This comment has been minimized.

Copy link
Author

garaud commented Feb 23, 2018

Thanks @vltr and @ahopkins ! You're right, I can do that with the store/retrieve functions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment