are there plans for djoser to support Refresh Token Rotation?

[sinisarudan]

This quite simple but powerful mechanism would provide more security for SPAs built using djoser and prevent attacks using refresh tokens. More at: https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#You-Can-Store-Refresh-Token-In-Local-Storage

Practically it would mean /jwt/refresh/ (https://djoser.readthedocs.io/en/latest/jwt_endpoints.html) should return a new refresh token in addition to the new access token, while in the same invalidating the previous refresh token.

[evanottinger]

Not a maintainer, but I just came across this issue and wanted to note that you cannot invalidate JWTs. Once they're signed, they're active until they're expired. Effectively, once the refresh token has expired, the user's session has ended and they must authenticate to get a new one. The refresh endpoint generates a new access token because it should expire at more frequent intervals than the refresh token. For example, we might set the refresh token's expiration to 24 hours from when it's signed, whereas an access token might only be valid for five minutes.

For security, the best practice is to store the refresh token in an HTTP Only, Secure cookie. This prevents it from being accessed by malicious JavaScript or transported unencrypted.

[leomorpho]

I believe you can use Simple JWT with

SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(minutes=1),
    'REFRESH_TOKEN_LIFETIME': timedelta(days=1),
    'ROTATE_REFRESH_TOKENS': True,
}

Source: https://django-rest-framework-simplejwt.readthedocs.io/en/latest/settings.html#rotate-refresh-tokens