gin-jwt icon indicating copy to clipboard operation
gin-jwt copied to clipboard

Published 20 hours ago verified publisher icon appleboy

refresh token MaxRefresh question.

Open bryant24 opened this issue 8 years ago • 9 comments

Hi, I set Timeout and MaxRefresh all to 1 minutes,when token expired after one minute,I use old token in the header and request refresh_token api but still return expired. If I use ajax to request my api, but found token expired,ajax need request refresh_token to get a new one,but response said expired,so how to resolve it?? thx!

bryant24 avatar Feb 14 '17 02:02 bryant24

I see in the example script:

auth.Use(authMiddleware.MiddlewareFunc())
    {
        auth.GET("/hello", helloHandler)
        auth.GET("/refresh_token", authMiddleware.RefreshHandler)
    }

when use refresh_token,first to validate token in the authMiddleware.MiddlewareFunc()? Maybe that's the reason.

bryant24 avatar Feb 14 '17 02:02 bryant24

RefreshHandler() doesn't work if the token has expired. The underlying JWT library fails the token if it's expired. So gin-jwt never reaches RefreshHandler() if the token has expired, regardless of the MaxRefresh setting.

jbfm avatar Mar 30 '17 12:03 jbfm

I found: Refreshing a token does not change the refresh period of the new token, the time period of still using the old token

func (mw *GinJWTMiddleware) RefreshHandler(c *gin.Context) {
	token, _ := mw.parseToken(c)
	claims := token.Claims.(jwt.MapClaims)

	origIat := int64(claims["orig_iat"].(float64))
	if origIat < mw.TimeFunc().Add(-mw.MaxRefresh).Unix() {
		mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(ErrExpiredToken, c))
		return
	}
        ........
       newClaims["orig_iat"] = origIat

gonboy avatar Dec 13 '17 00:12 gonboy

是不是可以在RefreshHandler里也捕获下错误,但是排除掉Token过期的错误:

func (mw *GinJWTMiddleware) RefreshHandler(c *gin.Context) {
	token, err := mw.parseToken(c)
	if err != nil && err.(*jwt.ValidationError).Errors != jwt.ValidationErrorExpired {
		mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(err, c))
		return
	}
       ...........

这样刷新token服务就不需要JWT中间件保护,这样是否可行?

weiyuheng avatar Feb 11 '18 10:02 weiyuheng

@weiyuheng You can't use refresh handler if the token is already expired.

appleboy avatar Jun 21 '18 03:06 appleboy

@gonboy this bug fixed at #135

ravone avatar Jul 06 '18 20:07 ravone

Is it safe to assume that the below internal comment is wrong? Currently, it is only useful to have MaxRefresh lower then Timeout? and by doing so, limiting the time that the client can refresh a token instead of requesting a new one?

// This field allows clients to refresh their token until MaxRefresh has passed.
// Note that clients can refresh their token in the last moment of MaxRefresh.
// This means that the maximum validity timespan for a token is MaxRefresh + Timeout.
// Optional, defaults to 0 meaning not refreshable.
MaxRefresh time.Duration

drsect0r avatar Aug 10 '18 08:08 drsect0r

the maximum validity timespan for a token is MaxRefresh + Timeout.

But it's not works(. When I use:

Timeout:     time.Second * 10,
MaxRefresh:  time.Hour * 24,

And try expired refreshed token after 20 seconds JwtAuthMiddleware.RefreshHandler - I got error:

401 Token is expired

Why? How to use the parameter MaxRefresh? Thanks.

sorbing avatar Sep 18 '18 12:09 sorbing

any update on this issue?

basementdwellers69 avatar Oct 29 '21 09:10 basementdwellers69