我不明白 JWT 刷新令牌的行为 (LARAVEL)

2022-01-10 00:00:00 jwt php laravel

我刚刚尝试使用 LARAVEL 和这个 https://github.com/tymondesigns/jwt- 进行 JWT 身份验证授权

I have just tried JWT auth with LARAVEL and this https://github.com/tymondesigns/jwt-auth

但有些东西我无法理解.他们在他们的配置中放置了:

But there's something i can't understand. In their config they put :

'ttl' => env('JWT_TTL', 60), // in munutes
'refresh_ttl' => env('JWT_REFRESH_TTL', 20160), // in minutes

据我了解:token 的有效期为 1 小时,可在 2 周内刷新

What i understant : the token's live is 1hour and can be refreshed within 2 weeks

但 3 小时后,如果我尝试查询某些内容,它会显示令牌已过期".

But after 3hours, if i try to query something, it says "token expired".

这个系统是否意味着,用户必须在每个小时内更新/刷新他的令牌,但限制为 2 周?没看懂.

Does this system mean, a user must get his token updated / refreshed within every hour but with a limit of 2 weeks ? I don't get it.

用户如何使用这种系统持续登录?第一个小时后刷新令牌有什么用处,虽然还不到 2 周,但我无法获得新令牌?

How can a user persist login with this kind of system ? How is the refresh Token useful when after the first hour, though it hasn't been 2 weeks yet, i can't get a fresh token ?

谢谢

更新:代码

配置/jwt.php

'ttl' => 2, // 2 minutes
'refresh_ttl' => 5, // 5 minutes

路由/api.php

Route::post('/login', 'AuthController@login');
Route::get('/test', 'AuthController@test')->middleware('jwt.auth', 'jwt.refresh');

Http/Controllers/AuthController

Http/Controllers/AuthController

namespace AppHttpControllers;

use IlluminateHttpRequest;
use JWTAuth;
use TymonJWTAuthExceptionsJWTException;

class AuthController extends Controller
{
    public function test()
    {
        return response()->json(['coucou' => 1]);
    }

    public function login(Request $request)
    {
        // grab credentials from the request
        $credentials = $request->only('email', 'password');

        try {
            // attempt to verify the credentials and create a token for the user
            if (! $token = JWTAuth::attempt($credentials)) {
                return response()->json(['error' => 'invalid_credentials'], 401);
            }
        } catch (JWTException $e) {
            // something went wrong whilst attempting to encode the token
            return response()->json(['error' => 'could_not_create_token'], 500);
        }

        // all good so return the token
        return response()->json(compact('token'));
    }
}

这就是流程:

请求到/login/login的响应 > {token: xxxxxxx}

request to /login with {username: xxx, password: xxx} response of /login > {token: xxxxxxx}

请求 /test/test的response > HEADER中带有NEW TOKEN的良好json响应

request to /test straight after (10 secs) with Bearer xxxxxx response of /test > the good json response with NEW TOKEN in HEADER

请求到 /test(所以现在已经过去了 3 分钟 10 秒,小于 5 分钟的刷新限制)/test的响应 >令牌过期

request to /test after 3 minutes (so 3mins 10 secs have past now, less than the 5min of refresh limit) response of /test > token expired

我不明白.

推荐答案

访问令牌过期后,您可以使用刷新令牌获取新的访问令牌,而无需再次要求用户输入用户名和密码.只有刷新令牌过期后,用户才需要重新登录.

After the access token is expired you can use the refresh token to get a new access token without asking the user to input his username and password again. Only after the refresh token is expired, the user needs to login again.

但 3 小时后,如果我尝试查询某些内容,它会显示令牌已过期".

But after 3hours, if i try to query something, it says "token expired".

那是因为访问令牌已过期.

that's because the access token is expired.

这个系统是否意味着,用户必须在每个小时内更新/刷新他的令牌,但限制为 2 周?没看懂.

Does this system mean, a user must get his token updated / refreshed within every hour but with a limit of 2 weeks ? I don't get it.

是的.您将刷新令牌保留在客户端系统中,并在访问令牌过期时使用它来请求新的访问令牌.

yes. You keep the refresh token in your client system and use it to request a new access token when the access token is expired.

相关文章