我不了解JWT刷新令牌的行为(LARAVEL) [英] I don't understand JWT refresh token's behaviour (LARAVEL)
问题描述
我刚刚尝试过使用LARAVEL进行JWT身份验证,并且此 https://github.com/tymondesigns/jwt -auth
I have just tried JWT auth with LARAVEL and this https://github.com/tymondesigns/jwt-auth
但是有些事情我听不懂.在他们的配置中,他们输入:
But there's something i can't understand. In their config they put :
'ttl' => env('JWT_TTL', 60), // in munutes
'refresh_ttl' => env('JWT_REFRESH_TTL', 20160), // in minutes
我不太清楚:令牌的有效期为1小时,可以在2周内刷新
What i understant : the token's live is 1hour and can be refreshed within 2 weeks
但是3小时后,如果我尝试查询某些内容,它会显示令牌已过期".
But after 3hours, if i try to query something, it says "token expired".
此系统是否意味着用户必须在每小时内但不超过2周的时间内更新/刷新其令牌?我不明白.
Does this system mean, a user must get his token updated / refreshed within every hour but with a limit of 2 weeks ? I don't get it.
用户如何使用这种系统继续登录?在第一个小时之后(虽然还不到2周,但我还不能获得新的令牌),刷新令牌有什么用?
How can a user persist login with this kind of system ? How is the refresh Token useful when after the first hour, though it hasn't been 2 weeks yet, i can't get a fresh token ?
谢谢
更新:代码
config/jwt.php
config/jwt.php
'ttl' => 2, // 2 minutes
'refresh_ttl' => 5, // 5 minutes
routes/api.php
routes/api.php
Route::post('/login', 'AuthController@login');
Route::get('/test', 'AuthController@test')->middleware('jwt.auth', 'jwt.refresh');
Http/Controllers/AuthController
Http/Controllers/AuthController
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use JWTAuth;
use Tymon\JWTAuth\Exceptions\JWTException;
class AuthController extends Controller
{
public function test()
{
return response()->json(['coucou' => 1]);
}
public function login(Request $request)
{
// grab credentials from the request
$credentials = $request->only('email', 'password');
try {
// attempt to verify the credentials and create a token for the user
if (! $token = JWTAuth::attempt($credentials)) {
return response()->json(['error' => 'invalid_credentials'], 401);
}
} catch (JWTException $e) {
// something went wrong whilst attempting to encode the token
return response()->json(['error' => 'could_not_create_token'], 500);
}
// all good so return the token
return response()->json(compact('token'));
}
}
这就是流程:
请求使用{用户名:xxx,密码:xxx} /登录 /登录的回复> {令牌:xxxxxxx}
request to /login with {username: xxx, password: xxx} response of /login > {token: xxxxxxx}
请求(在10秒钟后)立即与承载者xxxxxx 进行/测试 /test >中的响应> HEADER中带有NEW TOKEN的json响应良好
request to /test straight after (10 secs) with Bearer xxxxxx response of /test > the good json response with NEW TOKEN in HEADER
请求进行/测试(所以现在已经过去了10分钟的3分钟,少于刷新限制的5分钟) /测试>令牌的响应已过期
request to /test after 3 minutes (so 3mins 10 secs have past now, less than the 5min of refresh limit) response of /test > token expired
我不明白.
推荐答案
访问令牌过期后,您可以使用刷新令牌来获取新的访问令牌,而无需要求用户再次输入用户名和密码. 只有刷新令牌过期后,用户才需要再次登录.
After the access token is expired you can use the refresh token to get a new access token without asking the user to input his username and password again. Only after the refresh token is expired, the user needs to login again.
但是3小时后,如果我尝试查询某些内容,它会显示令牌已过期".
But after 3hours, if i try to query something, it says "token expired".
那是因为访问令牌已过期.
that's because the access token is expired.
此系统是否意味着用户必须在每小时内但不超过2周的时间内更新/刷新其令牌?我不明白.
Does this system mean, a user must get his token updated / refreshed within every hour but with a limit of 2 weeks ? I don't get it.
是的.您将刷新令牌保留在客户端系统中,并在访问令牌过期时使用它来请求新的访问令牌.
yes. You keep the refresh token in your client system and use it to request a new access token when the access token is expired.
这篇关于我不了解JWT刷新令牌的行为(LARAVEL)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
