does anyone know why I can not refresh token after 30 minutes. So if I refresh token during 30 minutes I can use that token for another 30 minutes. But if I try to refresh token after 30 minutes since last time, that won't work.
The error is {"error":"invalid_request"}
Related
I have a social media platform and I'm using cognito for auth. When I delete users, they are not logged out, how can i deactivate tokens
The token validity is 1 day. I waited for 1 day but it didn't log out.
I may be wrong, but it sounds like you don't clearly understand what is JWT and how it works.
Here are two types of JWT tokens: access token and refresh token.
access token can't be invalidated for single user until it expires. It is using for user authentication. In other way refresh token is using for new access tokens creation. By default, expiring time of refresh token is 30 days. So, user able generate new access token even if it expired until refresh token is valid.
You have to revoke refresh token when deleting user. Also expiring time of access token should be pretty short (e.g., 30 minutes). In this case user will be able login only 30 minutes at max after refresh token revocation.
Here is no info in your question about token revocation and which of tokens valid until 1 day, so I hope this info will help you figure out how it works.
I am generating Power BI embedded token in my application to populate PBI reports. The life time of the embeded token is 30 minutes. I am refreshing the token 5 minutes before the token expires.
However, is it possible to revoke the previous token which would still be active for remaining 5 minutes as this is a security concern?
Thanks in advance!!
I am using AWS Cognito for my webapp and while I was learning for the first time, I did something silly:
In my user pool ---> App client, I set the token configurations as such:
Refresh token expiration: 100 days
Access token expiration: 1 day
ID token expiration: 1 day
Some test engineers outside of my company (part-time workers) logged into the webapp and they have tokens with the above settings.
Now, I have set it to be more standard:
Refresh token expiration: 60 minutes
Access token expiration: 5 minutes
ID token expiration: 5 minutes
While the newly issued refresh tokens will expire after 1 hour, the previously issued token are still valid. The test engineers can still login to the webapp since they have the tokens stored in local storage.
How can I invoke the previously issued "super" tokens and stop those users from login again?
I have a problem with my Django REST application and JWT authentication module (https://jpadilla.github.io/django-rest-framework-jwt) in phase of refresh token.
Default logic of refresh token says that non-expired tokens can be "refreshed" to obtain a brand new token with renewed expiration time. Expiration time is setting to BE.
JWT framework provides an API for refresh token and you should use that to obtain new token and so expiration time reset every "user action" on web app.
This means that every call to BE from my Angular6 SPA must reset expiration time of a token.
I thought three ways to go:
1) Every call to BE from FE must call back api to refresh token. This means that number of calls are duplicate always.
Not elegant!
2) Call api to refresh token according to an alghoritm (in FE) to avoid duplicated calls.
Which alghoritm?
3) Reset expiration time of token to back end every call from FE, and use the same token from FE.
I can not to do this!
Any suggestions?
Thanks
You don't need to refresh you token with every api call. Only a few minutes before expiration. Most tokens contain the expiration time. So you need to refresh it every time it almost expires. Something like this: token.expiration - curenttime =< 5 minutes.
I believe there are some libraries that can do that for you. Maybe Auth0
I am using django rest frameworks JWT library
http://getblimp.github.io/django-rest-framework-jwt/
There are two settings on JWT token expiration
JWT_EXPIRATION_DELTA which is in seconds
The docs on it:
You can turn off expiration time verification by setting JWT_VERIFY_EXPIRATION to False. Without expiration verification, JWTs will last forever meaning a leaked token could be used by an attacker indefinitely.
This is an instance of Python's datetime.timedelta. This will be added to datetime.utcnow() to set the expiration time.
Default is datetime.timedelta(seconds=300)(5 minutes).
and JWT_REFRESH_EXPIRATION_DELTA
Docs:
mit on token refresh, is a datetime.timedelta instance. This is how much time after the original token that future tokens can be refreshed from.
Default is datetime.timedelta(days=7) (7 days).
Im not sure on the different use cases. I set the jwt token expiration delta to 20 seconds.
Then got a token saved it to local waited 20 seconds closed my browser window and re navigated to the site
expecting to not be logged in because the token would of expired but I was logged in.
So then what is the difference between JWT token expiration delta
and JWT Refresh Expiration Delta?
JWT_EXPIRATION_DELTA is the actual time till your JWT token will work. After the time mention in JWT_EXPIRATION_DELTA, whenever you will use this token to access a secure endpoint(that has JWT Auth enabled), it will return a error with message that Your JWT Token has been expired. So you need to keep refreshing JWT Token before it get expired. According to documentation:
Refresh with tokens can be repeated (token1 -> token2 -> token3), but this chain of token stores the time that the original token (obtained with username/password credentials), as orig_iat. You can only keep refreshing tokens up to JWT_REFRESH_EXPIRATION_DELTA
It means that no matter how many times you refresh your tokens, it will always keep the record of the original time when your 1st token was generated(First Time you logged in your user). So if JWT_REFRESH_EXPIRATION_DELTA is set to 1 day, you can't keep refreshing your JWT token after 1 day from when your original token was generated (means your 1st token generated time).
Don't know what mechanism you are using to check in the frontend if the user is authenticated or not. But if you use to check it on the backend (DRF-JWT provides some ready endpoints to verify and refresh tokens), you will find it will not work.