File: token_types.rst

package info (click to toggle)
python-djangorestframework-simplejwt 5.5.1-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 956 kB
  • sloc: python: 3,783; makefile: 213; javascript: 40; sh: 6
file content (62 lines) | stat: -rw-r--r-- 2,895 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
.. _token_types:

Token types
===========

Simple JWT provides two different token types that can be used to prove
authentication.  In a token's payload, its type can be identified by the value
of its token type claim, which is "token_type" by default.  This may have a
value of "access", "sliding", or "refresh" however refresh tokens are not
considered valid for authentication at this time.  The claim name used to store
the type can be customized by changing the ``TOKEN_TYPE_CLAIM`` setting.

By default, Simple JWT expects an "access" token to prove authentication.  The
allowed auth token types are determined by the value of the
``AUTH_TOKEN_CLASSES`` setting.  This setting contains a list of dot paths to
token classes.  It includes the
``'rest_framework_simplejwt.tokens.AccessToken'`` dot path by default but may
also include the ``'rest_framework_simplejwt.tokens.SlidingToken'`` dot path.
Either or both of those dot paths may be present in the list of auth token
classes.  If they are both present, then both of those token types may be used
to prove authentication.

Sliding tokens
--------------

Sliding tokens offer a more convenient experience to users of tokens with the
trade-offs of being less secure and, in the case that the blacklist app is
being used, less performant.  A sliding token is one which contains both an
expiration claim and a refresh expiration claim.  As long as the timestamp in a
sliding token's expiration claim has not passed, it can be used to prove
authentication.  Additionally, as long as the timestamp in its refresh
expiration claim has not passed, it may also be submitted to a refresh view to
get another copy of itself with a renewed expiration claim.

If you want to use sliding tokens, change the ``AUTH_TOKEN_CLASSES`` setting to
``('rest_framework_simplejwt.tokens.SlidingToken',)``.  (Alternatively, the
``AUTH_TOKEN_CLASSES`` setting may include dot paths to both the
``AccessToken`` and ``SlidingToken`` token classes in the
``rest_framework_simplejwt.tokens`` module if you want to allow both token
types to be used for authentication.)

Also, include urls for the sliding token specific ``TokenObtainSlidingView``
and ``TokenRefreshSlidingView`` views alongside or in place of urls for the
access token specific ``TokenObtainPairView`` and ``TokenRefreshView`` views:

.. code-block:: python

  from rest_framework_simplejwt.views import (
      TokenObtainSlidingView,
      TokenRefreshSlidingView,
  )

  urlpatterns = [
      ...
      path('api/token/', TokenObtainSlidingView.as_view(), name='token_obtain'),
      path('api/token/refresh/', TokenRefreshSlidingView.as_view(), name='token_refresh'),
      ...
  ]

Be aware that, if you are using the blacklist app, Simple JWT will validate all
sliding tokens against the blacklist for each authenticated request.  This will
reduce the performance of authenticated API views.