refresh token with jwt

Question

refresh token with jwt

pigay opened this issue 2 years ago · 3 comments

Hi Miguel,

I'm puzzled with the token refresh procedure. If I understand correctly, to get a fresh access token, one can give the expired access token along with corresponding valid refresh token with a PUT request on /tokens endpoint.

From reading the code, both are verified with User.verify_refresh_token(refresh_token, access_token_jwt) which in turn triggers Token.from_jwt(access_token_jwt).

In the from_jwt method, you call jwt.decode()

However, the access token is expired, so jwt.decode should fail.

This means that you no longer can get a fresh access token as soon as your previous access token is expired.

Am I right?

Wouldn't it be better to call jwt.decode() with verify_exp=False in this case?

Pierre

Answer 1 · 2023-05-17T18:17:41.000Z

Oh, I just realized that you don't encode jwt with an exp claim. So jwt will always accept it...

Sorry for disturbing.

Pierre

Answer 2 · 2023-05-17T18:18:32.000Z

The access token JWT is not encoded with an expiration. The token expiration is tracked in the database. The JWT is only used to increase the security through the signature.

Answer 3 · 2023-05-17T18:20:32.000Z

Thanks for your quick answer ;)