paulsoh
commented
7 years ago I also needed this feature and after taking a look I noticed that the JWT_VERIFY_EXPIRATION part isn't implemented right now. I am working on it on a forked version.
Open Bencyril opened 8 years ago
paulsoh
commented
7 years ago I also needed this feature and after taking a look I noticed that the JWT_VERIFY_EXPIRATION part isn't implemented right now. I am working on it on a forked version.
vimalloc
commented
7 years ago This project has basically been abandoned it seems. Perhaps check out https://github.com/vimalloc/flask-jwt-extended instead (full disclosure, I'm the author). It can do (basically) unlimited length access tokens right out of the box, but it has a bunch of other built in goodies to make working in these situations more secure.
In flask-jwt-extended, if you just need a token that lasts forever, you can set the JWT_ACCESS_TOKEN_EXPIRES to thousands of years in the future, essentially make it last forever. However, you can do more to control and secure your app with this extension. You can make a refresh token that lasts forever, which can generate new access tokens which have a smaller fixed life. You can also combine that with the idea of fresh and non-fresh access tokens, so that access tokens generated with the refresh token are marked as non-fresh, and cannot access specific critical endpoints (such as update passwords, completing online purchases, etc) without verifying their username and password again.
http://flask-jwt-extended.readthedocs.io/en/latest/refresh_tokens.html http://flask-jwt-extended.readthedocs.io/en/latest/token_freshness.html
You also have the option to enable token blacklisting, so if a single token gets compromised you can simply blacklist that one, instead of having to change your secret key and invalidate all of the tokens. There are of course trades offs to this, as you now need to keep state on your servers and it is no longer an entirely stateless implementation, hence it being completely optional.
http://flask-jwt-extended.readthedocs.io/en/latest/blacklist_and_token_revoking.html
Ok, done with the sales pitch. I hope that gave you some ideas to think about, and that whatever route you end up going works well for you!
Cheers :)
justindz
commented
7 years ago Does flask-jwt-extended have (or can it have) support for the ability to extend a token expiration based on recent usage? I'd love to have tokens expire after X amount of time, but renew is they are used within that period (without requiring the client to obtain and use a new token, ideally).
my config is : JWT_AUTH_URL_RULE = "/api/v1/auth" JWT_VERIFY_EXPIRATION = False
I use token for my mobile app. I want that my token never expired, but it doesn't work.
Do you have an idea ?