[Question] Revoking tokens on refresh

[ultratin]

Is there anyway to tokens programmatically? Right now tokens are revoked based with the following code

    Authorize.jwt_required()

    jti = Authorize.get_raw_jwt()['jti']
    redis_conn.setex(jti, settings.access_expires,'true')

The problem lies with Authorize.get_raw_jwt which only allows revoking of the token that is required. My use case is that on refresh, I would like to refresh both access_token and refresh_token. Is there anyway to accomplish that?

[ultratin]

Looks like I can get the tokens from the cookies straight from the Request object and access their jti with Authorize.get_jti and revoke the tokens from there. Would that be the only way? Would be great there was a get_token_from_cookie(name="access") method that I can call to simplify things a little bit more

[SelfhostedPro]

Why are you revoking the access token on refresh? The refresh endpoint should only be getting hit if the access token is already invalid.

[ultratin]

I'm not super familiar with the subject but let's say the refresh last for 7 days, the user would be logged out no matter what after 7 days right? What should I be doing if I wanted to extend the refresh past the expiry if the user stays logged in?

[SelfhostedPro]

You can't extend the refresh past the expiration. You can change the expiration time though. It's automatically invalidated once it's expired.

[ultratin]

yes so I'm planning to refresh the refresh token as well, Is that a bad idea?

[mccarreon]

yes so I'm planning to refresh the refresh token as well, Is that a bad idea?

Found this stackoverflow post in my research on jwt auth.

I think you're trying to implement what's called refresh token rotation, where you refresh the refresh token every time it's used.

Be aware that this can lead to an attacker intercepting the RT, and having infinite uses if the user never returns to the app.