Closed psychok7 closed 7 years ago
cbouvier15
commented
7 years ago I think you don't (shouldn't) need to pass the Django's secret key to the front-end in order to decode the token and obtain the expiration time.
For example, this library created for auth0 to work with Json Web Tokens in AngularJS, performs methods to decode the token, verify it's expiration time, and so on, without using Secret Key.
Maybe you can try jwt.io to verify what I'm saying.
psychok7
commented
7 years ago @kitab15 i am not using angular but i found this that i can try https://github.com/auth0/jwt-decode
But how can it decode without knowing the secret key??
psychok7
commented
7 years ago Ok after reading a bit further i now understand why we don't need a secret key to decode like explained here https://github.com/auth0/jwt-decode/issues/4#issuecomment-72366352
I found this implementation as well https://github.com/sahat/satellizer/blob/31a1f03937656cc5227347355439f4b4386ad66d/src/shared.ts#L65
I also found that we can use RSA as mentioned here: https://github.com/GetBlimp/django-rest-framework-jwt/issues/316#issuecomment-284790759 so that we can share the public key and encrypt with it, and then generate our own private keys in the client (maybe put it in local storage). If for some reason we loose the private key, we can always force a username/password login and generate a new one.
orf
commented
7 years ago Tokens are signed, not encrypted. Even the slightest of reading into jwt's should have shown you this. You don't need a secret key to read them but only to verify them, and if you use a private key to sign them then you can verify then with the public key.
On 4 May 2017 17:15, "Nuno Khan" notifications@github.com wrote:
Ok after reading a bit further i now understand why we don't need a secret key to decode like explained here auth0/jwt-decode#4 (comment) https://github.com/auth0/jwt-decode/issues/4#issuecomment-72366352
I also found that we can use RSA as mentioned here: #316 (comment) https://github.com/GetBlimp/django-rest-framework-jwt/issues/316#issuecomment-284790759 so that we can share the public key and encrypt with it, and then generate our own private keys in the client (maybe put it in local storage). If for some reason we loose the private key, we can always force a username/password login and generate a new one.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/GetBlimp/django-rest-framework-jwt/issues/330#issuecomment-299234749, or mute the thread https://github.com/notifications/unsubscribe-auth/AA-sh-jetJ8_wfJlwBGxHnqhxDH8WyI6ks5r2fm_gaJpZM4NQi3c .
psychok7
commented
7 years ago @orf i Guess when we are learning new tech we might miss some important points (or maybe not even think about the actual meaning until we need to). Nevertheless thanks for you explanation
orf
commented
7 years ago Sorry, I didn't mean to come across as brisk! Check out https://jwt.io for a good resource and help.
On 4 May 2017 21:15, "Nuno Khan" notifications@github.com wrote:
Closed #330 https://github.com/GetBlimp/django-rest-framework-jwt/issues/330.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/GetBlimp/django-rest-framework-jwt/issues/330#event-1069605941, or mute the thread https://github.com/notifications/unsubscribe-auth/AA-shyNe5uxPbH0OQHdYrEFWfLfoxJM2ks5r2jG2gaJpZM4NQi3c .
This might be somehow related to https://github.com/GetBlimp/django-rest-framework-jwt/issues/92 but i felt that it deserved a new issue.
While reading the official documentation on Refresh Tokens, i found this bit
Each time the user loads the page, you can check if there is an existing non-expired token and if it's close to being expired, refresh it to extend their session.The thing is, i want my API to support both Web and Mobile, for my Web part i am using jQuery to ask for the refresh tokens. The thing is how can i do this part
and if it's close to being expired, refresh it to extend their sessionwithout passing my Django secret key to the template so that i can decode the token in my local storage and figure out when it is going to expire before making an unnecessary request??If i should not decode the token, then for every page load i would have to make an additional request to ask if my current token has not expired yet? That seems a bit overkill to me and it is whats causing me to be confused about it.
What is the correct approach here??
Thanks