jwt-auth
jwt-auth copied to clipboard
tymondesigns
Refresh token does not work if access_token is expired?
I am using Lumen 8.0 with this jwt-auth package. I am facing an issue that refresh_token does not regenerate access_token when access_token is expired?
Kindly share any suggestion, if you have. Thanks a lot. Look forward to hear you. Thanks.
There is a setting called JWT_REFRESH_TTL or simply refresh_ttl, which defines how long the old token would be accepted for a refresh. Maybe check if it is configured correctly! Once this time-frame has expired, the old token is not accepted for generating a new one.
@BenceSzalai have you tried it by yourself? I mean refresh_ttl because it doesn't seem to work.
Sorry, not, I've only used it with Laravel, where it worked fine. I just thought it may worth to check those settings.
Well, I've never used Lumen myself, so I don't know what are the differences compared to regular Laravel. Maybe if you have shared some of your code and what you are trying to achieve someone may be able to help, but it seems more like a StackOverflow topic to me than an issue here, since it does not seem to be an issue with jwt-auth. I can generate a refreshed token by $newToken = auth()->refresh(); and I have to assume it works for thousands of other users of the package...
I just follow the doc, and set ttl = 1, refresh_ttl = 2. After the minute (when token time is expired) I'm trying to refresh the token, but it gives me 401 (sure, because the token time is expired and you can't authenticate with it, or maybe you could authenticate but you don't have authorization for all the actions except refreshing the token?!). I said ok and removed authentication from the refreshing route, now it works but doesn't refresh the refresh token expiration time, also there is not a method to get actual expiration times for the user rather than this strange one: auth()->blacklist()->getRefreshTTL(), why it needs to be called through blacklist()?!.
I think it must work when you write the code as shown in the documention
And I'm not fighting with you, I just don't understand and write my thoughts...
I'm not fighting either, just saying it is not really a discussion for this forum. Being that said, sure, the refresh token route must be excluded from the auth middleware. I'm generating refreshed token like this:
$token = (string) auth()->refresh();
$expiration = auth()->setToken($token)->getPayload()->get('exp');
I think auth()->blacklist()->getRefreshTTL() gives you the default TTL, my code above gives you the actual expiration time of the very token just generated. To return an "expires_in" in the response you can than just use $expiration - time().
Hi In my case the problem arises when I try to invalidate an expired token. The user tries to acces an endpoint, the token is expired, it then tries to refresh it. All works unless the refresh logic tries to invalidate (blacklist) the expired token. Thanks
dhcmega
I ran into the same issue described here, the way I resolved this was to remove any JWT middleware from my refresh route and refresh manually:
public function refreshToken()
{
try {
$token = JWTAuth::parseToken()->refresh();
} catch (JWTException $e) {
return $this->sendError("Unable to refresh token", Response::HTTP_INTERNAL_SERVER_ERROR);
}
return $this->sendResponse(["token" => $token], "Successfully refreshed token");
}
I have the same issue. Is this a bug in documentation then? Both "login" and "refresh" should be public routes?
