Contrib.social

Add support for a refresh token

Open on Drupal.org →
Created on 26 September 2023, 9 months ago

Problem/Motivation

The JWT expiration time is only 1 hour, so if a user remains idle for more than 1 hour, they will be logged out with ✨ JWT Invalidation on user logout Needs work . To keep users logged in, we must extend the JWT validity, for example, to 30 days. However, this approach poses security risks because if the JWT is compromised during those 30 days, it can be used to access any part of the site the user has access to. This is why we need a refresh token, which serves the purpose of establishing a JWT renewal mechanism, while keeping the JWT authorization period short to enhance security.

Steps to reproduce

  1. Apply patch from ✨ JWT Invalidation on user logout Needs work
  2. Log in with JWT and wait over one hour.

Proposed resolution

When a request is made to the JWT Auth Issuer route (jwt/token) and the JWT is found to have expired, a new JWT is generated via the refresh token. The refresh token’s expiration time can be 30 days or even longer, such as a year, without posing a security risk. This is because the refresh token can only be used for renewing the JWT and does not grant direct access to other functionalities.

Remaining tasks

User interface changes

API changes

Data model changes

✨ Feature request
Status

Active

Version

2.0

Component

Code

Created by

🇺🇸United States Daniel Korte Brooklyn, NY

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Daniel Korte
  • Comment 9 months ago →
    🇨🇭Switzerland lukas.fischer

    +1

  • Comment 2 months ago →
    🇳🇿New Zealand davidwhthomas

    I ended up implementing a token refresh workflow using the session cookie as the refresh token.

    It has some benefits, such as

    • The /jwt/token path accepts cookie auth
    • The session cookie as the refresh token is created automatically on login and removed on logout.
    • The session lifetime settings control the refresh token validity period.
    • To revoke the refresh token, the session can be closed or deleted.
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024