Long Running Refresh Token for REST framework JWT Auth

Long running refresh token support for JSON Web Token Authentication support for Django REST Framework

Overview

This package provides a plugin that allow JWT to be re-issued for one that owns refresh token stored on database.

Requirements

Installation

Install using pip...

$ pip install djangorestframework-jwt-refresh-token

Long Running Refresh Token

This allows for a client to request refresh tokens. These refresh tokens do not expire. They can be revoked (deleted). When a JWT has expired, it's possible to send a request with the refresh token in the header, and get back a new JWT.

In your settings.py, add refreshtoken to INSTALLED_APPS.

INSTALLED_APPS = [
    ...,
    'refreshtoken',
  ]
}

Then run migrate to add the new model.

python manage.py migrate refreshtoken

In your urls.py add the following URL route to enable obtaining a token via a POST included the user's username and password.

Configure your urls to add new endpoint

from refreshtoken.routers import urlpatterns as rt_urlpatterns

urlpatterns = [
    url(...),
] + rt_urlpatterns

You can include this refresh token in your JWT_RESPONSE_PAYLOAD_HANDLER

def jwt_response_payload_handler(token, user=None, request=None):
    payload = {
        'token': token,
    }

    app = 'test'
    try:
        refresh_token = user.refresh_tokens.get(app=app).key
    except RefreshToken.DoesNotExist:
        refresh_token = None

    payload['refresh_token'] = refresh_token
    return payload

Then declare this custom payload_handler in your settings:

JWT_AUTH = {
    ...,
    'JWT_RESPONSE_PAYLOAD_HANDLER': 'path.to.jwt_response_payload_handler',
    ...,
}

Then your user can ask a new JWT token as long as the refresh_token exists.

$ http POST client_id=app grant_type="urn:ietf:params:oauth:grant-type:jwt-bearer" refresh_token=<REFRESH_TOKEN> api_type=app http://localhost:8000/delegate/

{"token": "your_jwt_token_...", "refresh_token": "your long running refresh token..."}