Search code examples
djangodjango-rest-frameworkjwttokendjango-rest-framework-jwt

Difference between JWT token expiration_delta and JWT Refresh Expiration Delta django jwt

I am using django rest frameworks JWT library

http://getblimp.github.io/django-rest-framework-jwt/

There are two settings on JWT token expiration

JWT_EXPIRATION_DELTA which is in seconds

The docs on it:

You can turn off expiration time verification by setting JWT_VERIFY_EXPIRATION to False. Without expiration verification, JWTs will last forever meaning a leaked token could be used by an attacker indefinitely. This is an instance of Python's datetime.timedelta. This will be added to datetime.utcnow() to set the expiration time.

Default is datetime.timedelta(seconds=300)(5 minutes).

and JWT_REFRESH_EXPIRATION_DELTA

Docs:

mit on token refresh, is a datetime.timedelta instance. This is how much time after the original token that future tokens can be refreshed from.

Default is datetime.timedelta(days=7) (7 days).

Im not sure on the different use cases. I set the jwt token expiration delta to 20 seconds.

Then got a token saved it to local waited 20 seconds closed my browser window and re navigated to the site

expecting to not be logged in because the token would of expired but I was logged in.

So then what is the difference between JWT token expiration delta

and JWT Refresh Expiration Delta?

Solution

  • JWT_EXPIRATION_DELTA is the actual time till your JWT token will work. After the time mention in JWT_EXPIRATION_DELTA, whenever you will use this token to access a secure endpoint(that has JWT Auth enabled), it will return a error with message that Your JWT Token has been expired. So you need to keep refreshing JWT Token before it get expired. According to documentation:

    Refresh with tokens can be repeated (token1 -> token2 -> token3), but this chain of token stores the time that the original token (obtained with username/password credentials), as orig_iat. You can only keep refreshing tokens up to JWT_REFRESH_EXPIRATION_DELTA

    It means that no matter how many times you refresh your tokens, it will always keep the record of the original time when your 1st token was generated(First Time you logged in your user). So if JWT_REFRESH_EXPIRATION_DELTA is set to 1 day, you can't keep refreshing your JWT token after 1 day from when your original token was generated (means your 1st token generated time).

    Don't know what mechanism you are using to check in the frontend if the user is authenticated or not. But if you use to check it on the backend (DRF-JWT provides some ready endpoints to verify and refresh tokens), you will find it will not work.