I am building a Django Rest Framework API which is using JWT authentication. I had created access tokens and refresh tokens and sent them to users.

I also have a refresh token endpoint that will take old refresh token and generate new pair of tokens and send to user.

I have doubt in its behavior related part. Currently what I can see that whenever I create new pair of access and refresh token using previous refresh token, the old access token is also working and new one is also working.

However once when I was using OAuth2.0 (in different case), I observed that in that case the old access token won't work if we had created new refreshed tokens.

But in case of my implementation of JWT in DRF this thing won't happens. I am not storing token in database.

So I want to know that is this any implementation specific problem or is it the property of JWT only, and if it is property then please share some details over it with me.

Thanks.

CodePudding user response：

According to JWT introduction:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

One of the value, that you can encode is 'exp' which states for expiration date. That's why your old tokens do not expire, cause they expiration date is still valid, and any other claims didn't change. Idea behind the 'refresh' token, is to provide new tokens with bigger exp value. Saying other way, you should not expect that the authorization will fail now, as the old token is still correct one.

As well you store nothing in the database (about this I also suggest to read answer provided by @sdoxsee