Comments (12)
Hey @Hanspagh. Guardian provides a refresh! function. Checkout Guardian.refresh!
from guardian.
Yes, I know but that only allows us to make a new token from an valid existing one. The feature I am requesting is to create a new token without having a valid token, but from a refresh token. Like described here https://auth0.com/docs/refresh-token
from guardian.
Refresh tokens are tricky. There's a couple of ways to do them that spring to mind.
- Create a non-expiring token containing/mapping the 'claims' and store it in the db. When issuing a JWT from it, use the claims from the refresh token and encode them into an access token. This requires that you have a database and lookup the refresh token. This method would be outside the scope of Guardian since you'd have to maintain some state on your server.
- Create a token with Guardian of type 'refresh' that has a long expiry (years) containing all claims required. You can then use this token to exchange for a type of 'access' containing the same claims with a much shorter exp. This does not require you to store the token in a db - although you should probably use something like GuardianDb so that it can be revoked. This would require the addition of an 'exchange' function in guardian so that you could exchange one type of token for another.
I'd be down for adding an exchange function I think. It's been on my todo list for a while I just haven't had the motivation to actually write it.
Thoughts?
from guardian.
My first thought was to implement it like you described in 1. and then add it as dependency like GuardianDb.
But 2. seems to integrate much better into the existing code and being able to reuse GuardianDb instead of writing a db integration again seems to be a big win.
I am still a bit new to Elixir but I would be happy to help with implementing this :)
from guardian.
@Hanspagh I'd be happy to review something for #1 but I don't think it should go into the Guardian lib.
from guardian.
When you say it should not go in the Guardian lib, do you then mean it should be a lib like GuardianDb or should it be part of the core.
from guardian.
I think it should be a separate lib like guardian db
from guardian.
Awesome, Will start working on something
from guardian.
Sounds great. I'd love to see it when you have something.
from guardian.
I made a VERY simple initial commit on the Refresh Token project, and I thought you might wanted to take a quick look at it, just to see if I am on the right track.
https://github.com/Hanspagh/guardian_refresh_token
from guardian.
Has there been any progress on providing a solution for refresh tokens, or at least a recommended way of doing it yourself?
from guardian.
We are currently working on it.
But you can use encode_and_sign to create tokens with a 'refresh type' and a longer expire time.
claims = Guardian.Claims.app_claims |> Guardian.Claims.ttl({60, :days})
{:ok, jwt, claims} = Guardian.encode_and_sign(resource, "refresh", claims)
Later you can verify that a token is a 'refresh token' and issue a shorter living access token.
case Guardian.decode_and_verify(jwt) do
{ :ok, claims } -> #verify that the type is refresh and issue a new access token
end
Hope this helps
from guardian.
Related Issues (20)
- Compilation error in file guardian.ex: type options/0 undefined HOT 1
- Is guardian relying on JWT's fixed side ? HOT 2
- Provide a way to retrieve verifying secret at runtime using connection information
- Help with EnsureNotAuthenticated HOT 1
- Successfully validates a JWT token with a timestamp in the past
- use Bitwise is deprecated in elixir 1.14-dev
- Warning causing compile error with Elixir 1.14.0 HOT 1
- Unable to set secret_key in runtime.exs HOT 12
- changelog is missing in the doc HOT 1
- all_permissions? function returns true even if permission set given is not within the list of permissions provided and compiled
- I would like to be able to set permissions from a DB table rather than hard coded in a permissions set. HOT 8
- guardian.encode_and_sign 1st argument: not an atom HOT 1
- Opaque errors when token verification fails HOT 3
- Using an environment variable as a secret key in elixir 1.14 HOT 2
- Breaking Change on 2.3.1 - Can't encode Bitwise Permissions HOT 6
- Generating a JWT with kty=oct can fail because of incorrect Base64 encoding
- after_encode_and_sign result not used HOT 2
- Move to Elixir 1.14 and otp 25 HOT 3
- system_time vs os_time and time drift HOT 1
- refresh_from_cookie only accepts "default" as key HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from guardian.