0

I am building a Django Rest Framework API which is using JWT authentication. I had created access tokens and refresh tokens and sent them to users.

I also have a refresh token endpoint that will take old refresh token and generate new pair of tokens and send to user.

I have doubt in its behavior related part. Currently what I can see that whenever I create new pair of access and refresh token using previous refresh token, the old access token is also working and new one is also working.

However once when I was using OAuth2.0 (in different case), I observed that in that case the old access token won't work if we had created new refreshed tokens.

But in case of my implementation of JWT in DRF this thing won't happens. I am not storing token in database.

So I want to know that is this any implementation specific problem or is it the property of JWT only, and if it is property then please share some details over it with me.

Thanks.

HARSH KUMAR CHOUDHARY
  • 14
  • 1
  • 4
  • If the old access token is still working, then it's definitely being stored somewhere. The old tokens should be invalidated if a new pair of tokens is generated. – Scratch'N'Purr Jun 06 '22 at 14:13
  • I got to know that JWT tokens are itself created in that way that they remain valid until expiration and hence after creating new tokens also one can use previous ones. The thing is that I don't know how to invalidate tokens. Should I use any DB? – HARSH KUMAR CHOUDHARY Jun 06 '22 at 14:49
  • Are you using Simple JWT? – Scratch'N'Purr Jun 06 '22 at 15:14
  • yes, I was talking about that. – HARSH KUMAR CHOUDHARY Jun 07 '22 at 04:07
  • Read up on the blacklisting setting in their [docs](https://django-rest-framework-simplejwt.readthedocs.io/en/latest/settings.html#blacklist-after-rotation). The blacklist app uses a DB since it will have to store blacklisted tokens somewhere. However, you'll occasionally want to run a cron job to flush out expired tokens. – Scratch'N'Purr Jun 07 '22 at 12:24

1 Answers1

0

According to JWT introduction:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

One of the value, that you can encode is 'exp' which states for expiration date. That's why your old tokens do not expire, cause they expiration date is still valid, and any other claims didn't change. Idea behind the 'refresh' token, is to provide new tokens with bigger exp value. Saying other way, you should not expect that the authorization will fail now, as the old token is still correct one.

As well you store nothing in the database (about this I also suggest to read answer provided by @sdoxsee

kadewu
  • 336
  • 4
  • 8