Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using JWTEncoderInterface to decode a token and ignoring Expired #37

Closed
epicwhale opened this issue Oct 17, 2014 · 3 comments
Closed

Using JWTEncoderInterface to decode a token and ignoring Expired #37

epicwhale opened this issue Oct 17, 2014 · 3 comments

Comments

@epicwhale
Copy link

A lot of APIs using the JWT will need an endpoint that allows developers to refresh the token (say if its expired).

One of the key requirements of building a refresh token endpoint is to be able to decode the existing the token (which will be passed as input), capture important data (like username field, etc) and create a new token out of it with the same data.

Presently using the JWTEncoder's decode function will always return a false if the token has expired. But my use-case requires the need to refresh tokens even if expired. How do I access the payload of a token even after its expired?

Presently, the only way I see it is rewriting the JWTEncoder class and adding a new function like decodeIgnoreExpired($jwt) function.

What are your thoughts?
@slashfan
Copy link
Contributor

I like the idea of having a way of refreshing the token, I haven't seen anything about it in the JWT RFC but it might be worth it to implement it.

Currently, the method that validates the token validity is the JWS::isValid from the namshi jose library which checks both token integrity and expiration. Removing the exp key (using the JWTCreatedEvent) from the token should bypass that problem.

In the next release, we could set the token expiration check optionnal. Globally or on a firewall specifically. Along with a refresh mecanism.

@epicwhale
Copy link
Author

Instead of removing the 'exp' key, which is something that you don't want removed as every JWT token should ideally have it, I have extended JWTEncoder and added the following function to it.

    /**
     * @param string $token The token string
     *
     * @return array|bool
     */
    public function decodeIgnoreExpired($token)
    {
        try {
            /** @var JWS $jws */
            $jws = JWS::load($token);
        } catch (\InvalidArgumentException $e) {
            return false;
        }

        if (!$jws->verify($this->getPublicKey())) {
            return false;
        }

        return $jws->getPayload();
    }

This only verifies integrity and ignores expiration.

Also, since there's no RFC for implementing refresh, I believe you should leave out of your bundle for a while.. but make it possible for somebody to implement the refresh endpoint on their own accord. (I had to do quite a bit of overriding to implement a refresh token endpoint).

@slashfan
Copy link
Contributor

Good ! You're right, I don't think refresh should be implemented directly in the bundle. A simple recipe in the documentation should suffice. You're welcome to share your experience :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@epicwhale @slashfan