ewgRa
commented
4 years ago Any update?
Open ewgRa opened 5 years ago
ewgRa
commented
4 years ago Any update?
meruiden
commented
4 years ago Any update? it has been more then a year since the initial request for this feature
merfrei
commented
3 years ago For the same reason I have decided not to use it and implement my own. A shame.
gnuletik
commented
3 years ago @appleboy would you consider merging a PR implementing this ? That would be a breaking change for v3.0 I guess.
axispx
commented
3 years ago This issue makes this package non usable for me.
FunnyPocketBook
commented
8 months ago You could also explicitly state that in the docs the refresh token isn't implemented as one would expect, which would make everything a lot clearer
As far as I see gin-jwt consider Access token as same as Refresh token. When we login, in response we can find a token that later we can send to refresh endpoint. Additionally, we have also MaxRefresh settings, that allows us to refresh token, even if it is expired. As far as I understand this approach increases security risks. The idea of refresh token - get it once, hide it better than access token and use it only for auth purposes, but not for access to resources.
Here RFC that clarify flow: https://tools.ietf.org/html/rfc6749#section-1.4.
Question is: what is the reason that gin-gwt implement it like this? How about to follow RFC6749?