Long running refresh token support for JSON Web Token Authentication support for Django REST Framework
This package provides a plugin that allow JWT to be re-issued for one that owns refresh token stored on database.
- Python (3.4, 3.5)
- Django (1.8, 1.9)
- Django REST Framework (3.3)
Install using pip...
$ pip install djangorestframework-jwt-refresh-token
This allows for a client to request refresh tokens. These refresh tokens do not expire. They can be revoked (deleted). When a JWT has expired, it's possible to send a request with the refresh token in the header, and get back a new JWT.
In your settings.py, add refreshtoken to INSTALLED_APPS.
INSTALLED_APPS = [
...,
'refreshtoken',
]
}Then run migrate to add the new model.
python manage.py migrate refreshtokenIn your urls.py add the following URL route to enable obtaining a token via a POST included the user's username and password.
Configure your urls to add new endpoint
from refreshtoken.routers import urlpatterns as rt_urlpatterns
urlpatterns = [
url(...),
] + rt_urlpatternsYou can include this refresh token in your JWT_RESPONSE_PAYLOAD_HANDLER
def jwt_response_payload_handler(token, user=None, request=None):
payload = {
'token': token,
}
app = 'test'
try:
refresh_token = user.refresh_tokens.get(app=app).key
except RefreshToken.DoesNotExist:
refresh_token = None
payload['refresh_token'] = refresh_token
return payloadThen declare this custom payload_handler in your settings:
JWT_AUTH = {
...,
'JWT_RESPONSE_PAYLOAD_HANDLER': 'path.to.jwt_response_payload_handler',
...,
}Then your user can ask a new JWT token as long as the refresh_token exists.
$ http POST client_id=app grant_type="urn:ietf:params:oauth:grant-type:jwt-bearer" refresh_token=<REFRESH_TOKEN> api_type=app http://localhost:8000/delegate/{"token": "your_jwt_token_...", "refresh_token": "your long running refresh token..."}