Flask JWT在每个请求上扩展令牌的有效性 [英] Flask JWT extend validity of token on each request

问题描述

已登录的用户的令牌有效期为24小时.在此期间内，所有使用@jwt_required装饰器的请求将 current 访问令牌的有效期再延长24小时.最长有效期为168(24 * 7)小时.

A logged in user will have a token expiry of 24 hours. Within that period, all request with @jwt_required decorator will have the current access token's expiry extended by another 24 hours. There is a maximum validity of 168(24 * 7) hours.

可以使用access_token和refresh_token.

It is possible to use access_token and refresh_token.

ret = {
        'access_token': create_access_token(identity=username, fresh=True),
        'refresh_token': create_refresh_token(identity=username)
    }

但这意味着我的applicatino的每个API调用都会有两个请求: 1.实际的HTTP请求 2.刷新身份验证令牌

But that means every API call from my applicatino will be two requests: 1. Actual HTTP Request 2. Refresh the auth token

@app.route('/refresh', methods=['POST'])
@jwt_refresh_token_required
def refresh():
    current_user = get_jwt_identity()
    ret = {
        'access_token': create_access_token(identity=current_user)
    }
    return jsonify(ret), 200

是否可以隐式扩展身份验证令牌?

Is there a way to implicitly extend an auth token?

推荐答案

flask-jwt-author的作者在此处扩展.从技术上讲，您实际上不能扩展令牌，只能将其替换为具有新到期时间的新JWT.不过，您可以通过几种方法进行模拟.

Author of flask-jwt-extended here. Technically you cannot actually extend a token, you can only replace it with a new JWT that has a new expires time. There are a few ways you could simulate this though.

首先，您可以让服务器本身仅在每次请求时隐式发送回新令牌，而不是让客户端请求新令牌.您可以将新的JWT发送回标头而不是JSON有效负载中，这样您就不必修改JSON数据即可解决新JWT的可能性.但是，您的客户将需要意识到这一点，他们需要在每个请求中检查该新标头，并用新的JWT替换其当前的JWT.您可能可以使用flask after_request方法来执行此操作，因此您不必将该功能添加到所有端点.将JWT存储在cookie中时，可以实现类似的效果，不同之处在于cookie是自动存储在浏览器中的(因此您的客户端不必在每个请求中都手动查找它们)，并且CSRF更加复杂如果您选择此路线，则可以得到保护( http://flask-jwt-extended.阅读thedocs.io/en/latest/tokens_in_cookies.html ).

First, instead of having the client request a new token, you could have the server itself just implicitly send back a new token on every request. You could send the new JWTs back in a header instead of in the JSON payload, so that you wouldn't have to modify you JSON data to account for the possibility of a new JWT. Your clients would need to be aware of this though, they would need to check for that new header on every request and replace their current JWT with the new one if it is present. You could probably use a flask after_request method to do this, so you didn't have to add that functionality to all your endpoints. A similar effect could be achieved when storing the JWTs in cookies, with the differences being that cookies are automatically stored in your browser (so your client wouldn't have to manually look for them on every request), and with the added complexity of CSRF protection if you go this route (http://flask-jwt-extended.readthedocs.io/en/latest/tokens_in_cookies.html).

上面的方法应该可以正常工作，但是您将创建许多访问令牌，这些令牌在创建后立即被丢弃，这可能不是理想的选择.上面的一种变体是检查令牌是否即将到期(可能是令牌过期的一半以上)，并且仅在这种情况下才创建并返回一个新令牌.另一个变化是让客户端检查令牌是否即将过期(通过javascript)，如果是，则使用刷新令牌来请求新的访问令牌.为此，您需要在点('.')上分割JWT，base64从该分割(索引1)中解码第二组字符串，然后从那里获取'exp'数据.

The above should work fine, but you will be creating a lot of access tokens that are thrown away right after being created, which probably isn't ideal. A variation of the above is to check if the token is near expiring (maybe if it is more then half way to being expired) and only create and return a new token if that is the case. Another variation of this would be to have the client check if the token is about to expire (via javascript) and if it is, use the refresh token to request a new access token. To do that, you would need to split the JWT on dots ('.'), base64 decode the second set of strings from that split (index 1), and grab the 'exp' data from there.

您可以执行的第二种方法是实际上等待令牌过期，然后使用刷新令牌生成新的访问令牌并重新发出请求(主动而不是主动).这看起来像是发出请求，检查http代码是否为401，如果是，则使用刷新令牌生成新的访问令牌，然后再次发出请求.

A second way you could do this is actually wait for a token to expire, and then use the refresh token to generate a new access token and remake the request (reactive instead of proactive). That might look like making a request, checking if the http code is 401, if so use the refresh token to generate a new access token, then making the request again.

希望这会有所帮助:)

这篇关于Flask JWT在每个请求上扩展令牌的有效性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！