Token refresh; Refresh on a refreshed token

[sleenen]

After refreshing a token and getting back a new valid token. The issued at time (IAT) claim remains the same as intended. However the validate refresh code looks like this and checks based on that IAT:

protected function validateRefresh(array $payload)
    {
        if ($this->refreshTTL === null) {
            return true;
        }

        if (isset($payload['iat']) && Utils::isPast($payload['iat'] + $this->refreshTTL * 60)) {
            throw new TokenExpiredException('Token has expired and can no longer be refreshed');
        }

        return true;
    }

Should this not be checked against the expiry (EXP) claim, so that the 'new'/refreshed token again has the refreshTTL to be able to refresh this newly created token and the refreshTTL gets reset basically for this new token.

[mcblum]

Obviously you linked to my issue but just wanted to re-iterate this is exactly what I am looking to do.

[sleenen]

I'm using 1.0.0-alpha.3 by the way.

@tymondesigns any thoughts on this? I see the code has changed in the 1.0.0-beta.2, making it unclear for me where the actual checking on the time difference is done. Gonna have to look into that.

[M-Hoogie]

Isn't this on purpose so you can't indefinitely chain refresh tokens?

Here's what I did to try and fix this.

A token is set to a specific user through the custom claim, if I detect that the token is within three hours of expiring, I generate a new Token based on the JWTSubject.

You can still indefinitely chain refresh tokens but by setting this time period to a low number you mitigate some risks.

[awardx]

@Mark-Hoog Could you please drop some demo code to see how you check the expiration time of the token?