Skip to content
This repository has been archived by the owner on Feb 22, 2024. It is now read-only.

how use JWT_VERIFY_EXPIRATION #107

Open
Bencyril opened this issue Nov 10, 2016 · 3 comments
Open

how use JWT_VERIFY_EXPIRATION #107

Bencyril opened this issue Nov 10, 2016 · 3 comments

Comments

@Bencyril
Copy link

my config is :
JWT_AUTH_URL_RULE = "/api/v1/auth"
JWT_VERIFY_EXPIRATION = False

I use token for my mobile app. I want that my token never expired, but it doesn't work.

Do you have an idea ?
@paulsoh
Copy link

paulsoh commented Dec 31, 2016
edited
Loading

I also needed this feature and after taking a look I noticed that the JWT_VERIFY_EXPIRATION part isn't implemented right now. I am working on it on a forked version.

@paulsoh paulsoh mentioned this issue Dec 31, 2016
Closed
@vimalloc
Copy link

This project has basically been abandoned it seems. Perhaps check out https://github.com/vimalloc/flask-jwt-extended instead (full disclosure, I'm the author). It can do (basically) unlimited length access tokens right out of the box, but it has a bunch of other built in goodies to make working in these situations more secure.

In flask-jwt-extended, if you just need a token that lasts forever, you can set the JWT_ACCESS_TOKEN_EXPIRES to thousands of years in the future, essentially make it last forever. However, you can do more to control and secure your app with this extension. You can make a refresh token that lasts forever, which can generate new access tokens which have a smaller fixed life. You can also combine that with the idea of fresh and non-fresh access tokens, so that access tokens generated with the refresh token are marked as non-fresh, and cannot access specific critical endpoints (such as update passwords, completing online purchases, etc) without verifying their username and password again.

http://flask-jwt-extended.readthedocs.io/en/latest/refresh_tokens.html
http://flask-jwt-extended.readthedocs.io/en/latest/token_freshness.html

You also have the option to enable token blacklisting, so if a single token gets compromised you can simply blacklist that one, instead of having to change your secret key and invalidate all of the tokens. There are of course trades offs to this, as you now need to keep state on your servers and it is no longer an entirely stateless implementation, hence it being completely optional.

http://flask-jwt-extended.readthedocs.io/en/latest/blacklist_and_token_revoking.html

Ok, done with the sales pitch. I hope that gave you some ideas to think about, and that whatever route you end up going works well for you!

Cheers :)

@justindz
Copy link

Does flask-jwt-extended have (or can it have) support for the ability to extend a token expiration based on recent usage? I'd love to have tokens expire after X amount of time, but renew is they are used within that period (without requiring the client to obtain and use a new token, ideally).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add JWT_VERIFY_EXPIRATION option for jwt.decode paulsoh/flask-jwt
4 participants
@justindz @vimalloc @Bencyril @paulsoh