Django Rest Framework JWT:登录时如何更改令牌过期时间 [英] Django Rest Framework JWT: How to change the token expiration time when logged in
问题描述
我使用 Django REST framework JWT Auth 来创建会话和获得权限,唯一的问题是:当我登录并且令牌过期后,我无法继续执行我想要的操作,除非我再次登录.而且我没有完全理解为附加设置提供的文档.
I'm using Django REST framework JWT Auth for session creation and permissions, the only problem is: when I log in and after the token expires I can't continue doing the operation I want, unless I log in again. And I didn't fully understand the documentations provided for the additional settings.
那么任何人都可以解释一种动态创建(和刷新)我的令牌(遵循最佳实践)的方法,以便我可以在登录时继续进行操作.
So can any one explain a method for dynamically creating (and refreshing) my token (following best practices) so that I can keep doing operations when I'm logged in.
P.S:我的前端使用 angular 2,我将令牌插入到 Http 请求标头中.谢谢.
P.S: I'm using angular 2 for my front end, and I'm inserting the token in the Http requests headers. Thanks.
推荐答案
JWT 令牌刷新有点混乱,我希望这个解释有帮助.
JWT token refresh is a little confusing, and i hope this explanation helps.
- 令牌在时间(令牌中的
iat
)有一个发布
- 令牌有一个
到期日期
(例如,now() + 1 小时) - 令牌无法更改.服务器只能发布一个新
iat
永远不会改变,但expires
确实会随着每次刷新而改变
- tokens have an
issued at
time (iat
in the token) - tokens have an
expiration date
(now() + 1 hour, for example) - the token can't be changed. server can only issue a new one
iat
never changes, butexpires
does change with each refresh
当您想扩展令牌时,会发生以下情况:
When you want to extend a token, this is what happens:
- 您将
令牌
发送到服务器端点/.../refresh/
- 服务器检查其未过期:
now() <= token.iat + JWT_REFRESH_EXPIRATION_DELTA
- 如果未过期:
- 发出NEW令牌(在json正文中返回,与登录相同)
- 新令牌对
now() + JWT_EXPIRATION_DELTA
有效 - 令牌中的
发布于
值不会改变 - 应用现在有 2 个令牌(技术上).
- 应用丢弃旧令牌并开始发送新令牌
- You send your
token
to the server endpoint/.../refresh/
- Server checks its not expired:
now() <= token.iat + JWT_REFRESH_EXPIRATION_DELTA
- If not expired:
- Issue a NEW token (returned in the json body, same as login)
- New Token is valid for
now() + JWT_EXPIRATION_DELTA
- The
issued at
value in the token does not change - App now has 2 tokens (technically).
- App discards the old token and starts sending the new one
您有
EXPIRATION=1 小时
,以及REFRESH_DELTA=2 天
.当您登录时,您会收到一个令牌,上面写着created-at: Jun-02-6pm".您可以刷新此令牌(或通过刷新从它创建) 2 天.这意味着,对于此次登录,无需重新登录可以使用令牌的最长时间为 2 天 1 小时.您可以每 1 秒刷新一次,但恰好在 2 天后服务器将停止允许刷新,从而为您留下一个有效期为 1 小时的最终令牌.(头疼).You have
EXPIRATION=1 hour
, and aREFRESH_DELTA=2 days
. When you login you get a token that says "created-at: Jun-02-6pm". You can refresh this token (or any created from it by refreshing) for 2 days. This means, for this login, the longest you can use a token without re-logging-in, is 2 days and 1 hour. You could refresh it every 1 second, but after 2 days exactly the server would stop allowing the refresh, leaving you with a final token valid for 1 hour. (head hurts).您必须在后端的 django 设置文件中的
JWT_AUTH
设置中启用此功能.我相信默认情况下它是关闭的.以下是我使用的设置:You have to enable this feature in the backend in the
JWT_AUTH
settings in your django settings file. I believe that it is off by default. Here are the settings I use:JWT_AUTH = { # how long the original token is valid for 'JWT_EXPIRATION_DELTA': datetime.timedelta(days=2), # allow refreshing of tokens 'JWT_ALLOW_REFRESH': True, # this is the maximum time AFTER the token was issued that # it can be refreshed. exprired tokens can't be refreshed. 'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7), }
然后您可以调用 JWT 刷新视图,在正文中传入您的令牌(作为 json)并取回一个新令牌.详细信息在 http://getblimp.github.io/的文档中django-rest-framework-jwt/#refresh-token
Then you can call the JWT refresh view, passing in your token in the body (as json) and getting back a new token. Details are in the docs at http://getblimp.github.io/django-rest-framework-jwt/#refresh-token
$ http post localhost:8000/auth/jwt/refresh/ --json token=$TOKEN
哪个返回:
HTTP 200 { "token": "new jwt token value" }
这篇关于Django Rest Framework JWT:登录时如何更改令牌过期时间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!