Jwt-auth: How to refresh tokens while rolling expiration into the future

Add the routes in question under the 'jwt.refresh' middleware this should refresh the token on evry request to those routes.

Thanks for the reply @knox2. If I implement that, will it refresh the same token, meaning it pushes its expiration into the future? Also does that mean the token is returned in the response as well?

@mcblum it invalidates the current token and generates a new one, returning it in the header of the response

@knox2 I'm sorry to be dense. And when it does that, it resets the expiration time to whatever you have the time set to, correct? Meaning every request pushes the expiration that much further into the future?

Nope, I'm running into this problem too. See issue I just created: #998

Basically the problem is, the refreshed token does get a new expiration time set correctly, but when that token does expire and you want to refresh that, it will give a token expired exception as well, because the check for the refresh time is based on the IAT time, which is not moved forward when refreshing a token. (At least I see that as a problem, not sure yet if that is intended behaviour.)

@sleenen I see - so your issue is the same as mine. Basically we both want the expiration of the token to be moved forward into the future each time it is refreshed. So, if a user was constantly using an app they could, esentially, continue to use it forever as long as they made one api request that was calling jwt.refresh within the defined ttl time. So if I have ttl set to two hours, one API call every two hours is enough to push the token into the future another two hours. However if at any point two hours passes and the user has not made an api call, the token would then be invalid and they would have to log in again.

@mcblum exactly what we want yes

Would setting the JWT_REFRESH_TTL in your config to NULL actually be the same thing?

Unfortunately, no, that would not be the same

Same issue here, basically I need a way to push the current token expiration into the future, not generate a new token. While we only generate a new token if the token truly expires (i.e. hasn't bee extended within the TTL window).

OK it looks like I may have found a solution for this.

Set your auth protected routes to use jwt.refresh.

in your config/jwt.php file go down to blacklist_enabled and set it to true, then next set your blacklist_grace_period to the period you want the TTL window on the refresh to be. What this does, is basically allow you to continue using the same token as long as you're in the the grace period window. after which, it will expire but while in the window it continues to extend the TTL of your current token for as long as it's being used.

To test this, simply set blacklist_grace_period to say 10 seconds. authenticate to get your initial token, then continue to make auth protected requests every second or two (less than 10 seconds apart) and you'll notice they all work, but then if you wait 10 seconds and then try to make a request after, you get a 401.

@jubairsaidi like you said, I set
blacklist_enabled true
and added
'blacklist_grace_period' => 120,
next to it. But in my case, it did not work. Do you have an idea why it might happen?

@jubairsaidi with this I encountered another issue. Now when you try to logout user from the system the token doesn't get blacklisted.

Have you found any solution for this?