How to generate - access token vs refresh token about django-graphql-jwt HOT 8 CLOSED

What happens if I don’t call refreshToken after JWT_EXPIRATION_DELTA=minutes=5 but within JWT_REFRESH_EXPIRATION_DELTA=days=7? Will verifyToken(t) return false if JWT_VERIFY_EXPIRATION=true but refreshToken will return a new valid token? Or does JWT_VERIFY_EXPIRATION need to be turned off in order to refresh an expired token?

from django-graphql-jwt.

Hey @vintage ,
you do not need a second token to refresh, there is no field in the JWT payload that specifies the type of token (refresh/access_token).

Use the refresh and update for a new one:

mutation  {
  refreshToken(token: "-token-") {
    token
    payload
  }
}

the settings:

JWT_VERIFY_EXPIRATION=true
JWT_REFRESH_EXPIRATION_DELTA=days=7
JWT_EXPIRATION_DELTA=minutes=5

It means that you need to refresh every 5 mins and even you keep on refreshing token every 5 mins, you will still be logout in 7 days after the first token has been issued.

JWT_VERIFY_EXPIRATION=False by default

from django-graphql-jwt.

Thanks a lot @mongkok, it seems I've misunderstood the concept a bit :) Works like a charm!

from django-graphql-jwt.

1 question to this great explanation. How to keep the user logged in “forever” then? Well, forever as long as he keeps rehreshing within allowed JWT_EXPIRATION_DELTA time span (as I understand I’d refresh triggered after the time of 5 minutes in this case, token gets invalidated?)

I could set JWT_REFRESH_EXPIRATION_DELTA to be like 30 days but it’s still not forever.

from django-graphql-jwt.

@vintage https://github.com/flavors/django-graphql-jwt/wiki/Token-expiration

from django-graphql-jwt.

JWT_VERIFY_EXPIRATION is false by default, which is the same as forever.

from django-graphql-jwt.

that's the way :-)

from django-graphql-jwt.

@googol7 According to my tests, with the next settings:

JWT_VERIFY_EXPIRATION=true
JWT_REFRESH_EXPIRATION_DELTA=days=7
JWT_EXPIRATION_DELTA=minutes=5

you should call refreshToken < 5 mins. In this case you will get refreshed token and payload (email + exp + orig_iat).

If you call verifyToken < 5 mins, you will get payload (same as refreshToken, ie: email + exp + orig_iat).

If you call refreshToken or verifyToken with a token which has not been created / refreshed within 5 mins, you will get:

{
    "errors": [
        {
            "message": "Signature has expired",
            "locations": [
                {
                    "line": 2,
                    "column": 3
                }
            ],
            "path": [
                "refreshToken"  # or "verifyToken"
            ]
        }
    ],
    "data": {
        "refreshToken": null  # or "verifyToken": null
    }
}

from django-graphql-jwt.