Django Rest Framework JWT:如何在登录时更改令牌到期时间 [英] Django Rest Framework JWT: How to change the token expiration time when logged in
问题描述
我正在使用Django REST框架JWT Auth进行会话创建和权限,唯一的问题是:登录时以及令牌过期后,除非再次登录,否则我无法继续执行所需的操作.而且,我不完全了解为其他设置提供的文档.
I'm using Django REST framework JWT Auth for session creation and permissions, the only problem is: when I log in and after the token expires I can't continue doing the operation I want, unless I log in again. And I didn't fully understand the documentations provided for the additional settings.
因此,任何人都可以解释一种动态创建(和刷新)令牌的方法(遵循最佳实践),以便我登录后可以继续进行操作.
So can any one explain a method for dynamically creating (and refreshing) my token (following best practices) so that I can keep doing operations when I'm logged in.
P.S:我在前端使用angular 2,并将令牌插入Http request标头中.谢谢.
P.S: I'm using angular 2 for my front end, and I'm inserting the token in the Http requests headers. Thanks.
推荐答案
JWT令牌刷新有点混乱,我希望这个解释对您有所帮助.
JWT token refresh is a little confusing, and i hope this explanation helps.
- 令牌的时间为
issued at
(令牌中的iat
) - 令牌具有
expiration date
(例如now()+ 1小时) - 令牌无法更改.服务器只能发布一个新个
-
iat
从未更改,但expires
会每次刷新都会更改
- tokens have an
issued at
time (iat
in the token) - tokens have an
expiration date
(now() + 1 hour, for example) - the token can't be changed. server can only issue a new one
iat
never changes, butexpires
does change with each refresh
要扩展令牌时,会发生以下情况:
When you want to extend a token, this is what happens:
- 您将
token
发送到服务器端点/.../refresh/
- 服务器检查其未过期:
now() <= token.iat + JWT_REFRESH_EXPIRATION_DELTA
- 如果未过期:
- 发出 NEW 令牌(在json正文中返回,与登录名相同)
- 新令牌对
now() + JWT_EXPIRATION_DELTA
有效 - 令牌中的
issued at
值不变 - 应用现在具有2个令牌(技术上).
- App丢弃旧令牌并开始发送新令牌
- You send your
token
to the server endpoint/.../refresh/
- Server checks its not expired:
now() <= token.iat + JWT_REFRESH_EXPIRATION_DELTA
- If not expired:
- Issue a NEW token (returned in the json body, same as login)
- New Token is valid for
now() + JWT_EXPIRATION_DELTA
- The
issued at
value in the token does not change - App now has 2 tokens (technically).
- App discards the old token and starts sending the new one
您有
EXPIRATION=1 hour
和REFRESH_DELTA=2 days
.登录时,您会得到一个令牌,上面写着"created-at:Jun-02-6pm".您可以刷新此令牌(或通过刷新从其中创建的任何 )2天.这意味着,对于该登录,您最多可以使用令牌而无需重新登录的时间为2天零1个小时.您可以每1秒钟刷新一次,但是2天后服务器将完全停止允许刷新,并为您提供1小时有效的最终令牌. (头疼).You have
EXPIRATION=1 hour
, and aREFRESH_DELTA=2 days
. When you login you get a token that says "created-at: Jun-02-6pm". You can refresh this token (or any created from it by refreshing) for 2 days. This means, for this login, the longest you can use a token without re-logging-in, is 2 days and 1 hour. You could refresh it every 1 second, but after 2 days exactly the server would stop allowing the refresh, leaving you with a final token valid for 1 hour. (head hurts).您必须在django设置文件的
JWT_AUTH
设置的后端中启用此功能.我相信默认情况下它是关闭的.这是我使用的设置:You have to enable this feature in the backend in the
JWT_AUTH
settings in your django settings file. I believe that it is off by default. Here are the settings I use:JWT_AUTH = { # how long the original token is valid for 'JWT_EXPIRATION_DELTA': datetime.timedelta(days=2), # allow refreshing of tokens 'JWT_ALLOW_REFRESH': True, # this is the maximum time AFTER the token was issued that # it can be refreshed. exprired tokens can't be refreshed. 'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7), }
然后,您可以调用JWT刷新视图,将您的令牌传递到正文中(作为json)并获取一个新的令牌.有关详细信息,请参见 http://getblimp.github.io/上的文档. django-rest-framework-jwt/#refresh-token
Then you can call the JWT refresh view, passing in your token in the body (as json) and getting back a new token. Details are in the docs at http://getblimp.github.io/django-rest-framework-jwt/#refresh-token
$ http post localhost:8000/auth/jwt/refresh/ --json token=$TOKEN
哪个返回:
HTTP 200 { "token": "new jwt token value" }
这篇关于Django Rest Framework JWT:如何在登录时更改令牌到期时间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!