Is it possible to revoke refresh tokens?

[alexolivas]

I'm not even sure that this is how refresh tokens are meant to behave, but how can a user effectively notify the system to stop issuing new tokens by using a refresh token in the case their token is compromised?

My settings file contains the following JWT settings

JWT_AUTH = {
    'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=300),
    'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),
    'JWT_ALLOW_REFRESH': True,
    'JWT_AUTH_HEADER_PREFIX': 'Token'
}

After a user obtains a valid JWT token from rest_framework_jwt.views.obtain_jwt_token they can use it to access my system's APIs, for up to 7 days by getting new tokens each time using rest_framework_jwt.views.refresh_jwt_token. However, what if one of the expired JWT Tokens is compromised before the refresh token's expiration delta (7 days), couldn't it be used to obtain a valid token by calling the same refresh endpoint? If so, how can a refresh token be revoked so this does not happen?

Note: still trying to wrap my head around using JWT tokens securely

[alexolivas]

Found something similar to what I was looking for in #115 but it appears that PR was turned into a separate 3rd party app, not exactly ideal. However, my confusion around this may have been cleared up by #92: basically, only un-expired tokens can be refreshed. So with that it seems like a mechanism to revoke refresh tokens is unnecessary if your tokens have a short expiration time period. Is this a valid statement?

[carltongibson]

@alexolivas I think currently yes. There's a lot of noise about refresh tokens so maybe something will happen there but as it stands keeping your expirations short is a reasonable approach.

[karesh]

JWT_EXPIRATION_DELTA - 5 mins
JWT_REFRESH_EXPIRATION_DELTA - one week

I got the token and after 20 mins I tried to refresh the token I got this error.
{
"non_field_errors": [
"Signature has expired."
]
}
In general we should be able to refresh the token upto one week.
It affects the mobile users. How can I solve this.. ?

[chika-kasymov]

@karesh did you set 'JWT_ALLOW_REFRESH': True, in settings of your app?

[zarebski-m]

@karesh The JWT_REFRESH_EXPIRATION_DELTA means that you can keep refreshing tokens up to one week. This does not mean that expired token can be refreshed.

With JWT_EXPIRATION_DELTA = 5 mins, you can refresh your (still valid) token and get a new one with 5 minutes expiration. And you can do this e.g. every 4m50s until one week passes from the first obtained token.

[karesh]

@chika-kasymov yes. I have put that.
@zarebski-m . Yes I got it.

But I feel, for the mobile users refresh token for every 5 minutes is not good.
Is there any way to refresh the token even after JWT token is expired. ? Then we dont need to ask the user enter user and password again or no need to store or we don't need to check every time inside our code. just refresh once we get an error.

JWT_REFRESH_EXPIRATION_DELTA upto one week is fine.