-
-
Notifications
You must be signed in to change notification settings - Fork 610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using JWTEncoderInterface to decode a token and ignoring Expired #37
Comments
I like the idea of having a way of refreshing the token, I haven't seen anything about it in the JWT RFC but it might be worth it to implement it. Currently, the method that validates the token validity is the In the next release, we could set the token expiration check optionnal. Globally or on a firewall specifically. Along with a refresh mecanism. |
Instead of removing the 'exp' key, which is something that you don't want removed as every JWT token should ideally have it, I have extended /**
* @param string $token The token string
*
* @return array|bool
*/
public function decodeIgnoreExpired($token)
{
try {
/** @var JWS $jws */
$jws = JWS::load($token);
} catch (\InvalidArgumentException $e) {
return false;
}
if (!$jws->verify($this->getPublicKey())) {
return false;
}
return $jws->getPayload();
} This only verifies integrity and ignores expiration. Also, since there's no RFC for implementing refresh, I believe you should leave out of your bundle for a while.. but make it possible for somebody to implement the refresh endpoint on their own accord. (I had to do quite a bit of overriding to implement a refresh token endpoint). |
Good ! You're right, I don't think refresh should be implemented directly in the bundle. A simple recipe in the documentation should suffice. You're welcome to share your experience :) |
A lot of APIs using the JWT will need an endpoint that allows developers to refresh the token (say if its expired).
One of the key requirements of building a refresh token endpoint is to be able to decode the existing the token (which will be passed as input), capture important data (like username field, etc) and create a new token out of it with the same data.
Presently using the JWTEncoder's decode function will always return a false if the token has expired. But my use-case requires the need to refresh tokens even if expired. How do I access the payload of a token even after its expired?
Presently, the only way I see it is rewriting the JWTEncoder class and adding a new function like
decodeIgnoreExpired($jwt)
function.What are your thoughts?
The text was updated successfully, but these errors were encountered: