I am using django rest frameworks JWT library
http://getblimp.github.io/django-rest-framework-jwt/
There are two settings on JWT token expiration
JWT_EXPIRATION_DELTA which is in seconds
The docs on it:
You can turn off expiration time verification by setting JWT_VERIFY_EXPIRATION to False. Without expiration verification, JWTs will last forever meaning a leaked token could be used by an attacker indefinitely.
This is an instance of Python's datetime.timedelta. This will be added to datetime.utcnow() to set the expiration time.
Default is datetime.timedelta(seconds=300)(5 minutes).
and JWT_REFRESH_EXPIRATION_DELTA
Docs:
mit on token refresh, is a datetime.timedelta instance. This is how much time after the original token that future tokens can be refreshed from.
Default is datetime.timedelta(days=7) (7 days).
Im not sure on the different use cases. I set the jwt token expiration delta to 20 seconds.
Then got a token saved it to local waited 20 seconds closed my browser window and re navigated to the site
expecting to not be logged in because the token would of expired but I was logged in.
So then what is the difference between JWT token expiration delta
and JWT Refresh Expiration Delta?
JWT_EXPIRATION_DELTA is the actual time till your JWT token will work. After the time mention in JWT_EXPIRATION_DELTA, whenever you will use this token to access a secure endpoint(that has JWT Auth enabled), it will return a error with message that Your JWT Token has been expired. So you need to keep refreshing JWT Token before it get expired. According to documentation:
Refresh with tokens can be repeated (token1 -> token2 -> token3), but this chain of token stores the time that the original token (obtained with username/password credentials), as orig_iat. You can only keep refreshing tokens up to JWT_REFRESH_EXPIRATION_DELTA
It means that no matter how many times you refresh your tokens, it will always keep the record of the original time when your 1st token was generated(First Time you logged in your user). So if JWT_REFRESH_EXPIRATION_DELTA is set to 1 day, you can't keep refreshing your JWT token after 1 day from when your original token was generated (means your 1st token generated time).
Don't know what mechanism you are using to check in the frontend if the user is authenticated or not. But if you use to check it on the backend (DRF-JWT provides some ready endpoints to verify and refresh tokens), you will find it will not work.
Related
I have a social media platform and I'm using cognito for auth. When I delete users, they are not logged out, how can i deactivate tokens
The token validity is 1 day. I waited for 1 day but it didn't log out.
I may be wrong, but it sounds like you don't clearly understand what is JWT and how it works.
Here are two types of JWT tokens: access token and refresh token.
access token can't be invalidated for single user until it expires. It is using for user authentication. In other way refresh token is using for new access tokens creation. By default, expiring time of refresh token is 30 days. So, user able generate new access token even if it expired until refresh token is valid.
You have to revoke refresh token when deleting user. Also expiring time of access token should be pretty short (e.g., 30 minutes). In this case user will be able login only 30 minutes at max after refresh token revocation.
Here is no info in your question about token revocation and which of tokens valid until 1 day, so I hope this info will help you figure out how it works.
After googling we came to know that invalid_grant which means refresh token is invalid.
Link to google oauth doc
We don't have any of these issues mentioned by google. Is this error related to something else rather than a refresh token.
More Info
We have access to read, write spreadsheet and send gmail
We fetch an access token for each request
Any help would be appreciated.
We're already in production and verified by google
Without seeing the full error message that being
Invalid_grant {Message here}
It is hard to help but from my experience is most often caused by one of the following.
Refresh token expire, app not in production.
There are serval reasons why a refresh token can expire the most common one currently is as follows.
A Google Cloud Platform project with an OAuth consent screen configured for an
external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
The fix is to go to google developer console on the consent screen and set your application to production, then your refresh token will stop expiring.
invalid_grant: Invalid JWT
{ “error”: “invalid_grant”, “error_description”: “Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for clock differences between systems.” }
Your server’s clock is not in sync with NTP. (Solution: check the server time if its incorrect fix it. )
invalid_grant: Code was already redeemed
Means that you are taking an authentication code that has already been used and trying to get another access token / refresh token for it. Authentication code can only be used once and they do expire so they need to be used quickly.
Invalid_grant: bad request
Normally means that the client id and secrete you are using to refresh the access token. Was not the one that was use to create the refresh token you are using.
Always store most recent refresh token.
Remember to always store the most recent refresh token. You can only have 50 out standing refresh tokens for a single user and the oldest one will expire. Depending upon the language you are using a new refresh token may be returned to you upon a refresh of the access token. Also if you request consent of the user more then once you will get a different refresh token.
User revoked access
If the user revoked your access in their google account, your refresh token will no longer work.
user changed password with gmail scope.
If your refresh token was created with a gmail scope and the user changed their password. your refresh token will be expired.
Links
Oauth2 Rfc docs for invalid_grant error rfc6749
invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
How to expire django rest framework JWT token manually ? Because it does not store the token in the database. Is there any correct way to expire the token ?
I am thinking to continue with middleware where token will be stored per user. At every login request we will update the token in the db for a user. At every request, we will fetch the token from request and comapre with the stored token and if doesnt match then we'll return the forbidden. I dont know its a correct way or not !!
You can't expire JWT token, the token is self contained and can only be expired after amount of time that's stored in its payload.
What you can do is to use both refresh and access token, and set little amount of time for access token. With that being said you FE should update access token when it's expired. You should store your refresh token in database, and when you need to delete access token, you can stop user from updating it using refresh token.
EDIT:
If you want to store token in database, you probably don't wanna use JWT and stateless authorization at all. Instead stick with session based authorization. When you want to expire token - you can just delete session from DB.
UPDATE 2:
What people usually do in this situation is having a fast-access DB (like redis) that has very few items. Instead of storing jwt token in the database we create a table that contains blocked tokens (I assume the amount of deleted tokens would be much less than amount of alive ones). BUT, now you sacrifice stateless authorization in favor of checking if a token is in the database every time you authorize a user.
I have a problem with my Django REST application and JWT authentication module (https://jpadilla.github.io/django-rest-framework-jwt) in phase of refresh token.
Default logic of refresh token says that non-expired tokens can be "refreshed" to obtain a brand new token with renewed expiration time. Expiration time is setting to BE.
JWT framework provides an API for refresh token and you should use that to obtain new token and so expiration time reset every "user action" on web app.
This means that every call to BE from my Angular6 SPA must reset expiration time of a token.
I thought three ways to go:
1) Every call to BE from FE must call back api to refresh token. This means that number of calls are duplicate always.
Not elegant!
2) Call api to refresh token according to an alghoritm (in FE) to avoid duplicated calls.
Which alghoritm?
3) Reset expiration time of token to back end every call from FE, and use the same token from FE.
I can not to do this!
Any suggestions?
Thanks
You don't need to refresh you token with every api call. Only a few minutes before expiration. Most tokens contain the expiration time. So you need to refresh it every time it almost expires. Something like this: token.expiration - curenttime =< 5 minutes.
I believe there are some libraries that can do that for you. Maybe Auth0
I am having a mobile app which will show some articles not very sensitive data. My backed is Django with jwt.
I am planning to keep 1 month as token expiration time.
After the token get expired how to refresh the token without the user to login again. I want to keep them logged in for ever as long as one wants, but at the same time i want the token to be changed, becasue some one can misuse it.
How to do this with jwt and Django