我不明白 JWT 刷新令牌的行为 (LARAVEL)
我刚刚尝试使用 LARAVEL 和这个 https://github.com/tymondesigns/jwt- 进行 JWT 身份验证授权
I have just tried JWT auth with LARAVEL and this https://github.com/tymondesigns/jwt-auth
但有些东西我无法理解.他们在他们的配置中放置了:
But there's something i can't understand. In their config they put :
'ttl' => env('JWT_TTL', 60), // in munutes
'refresh_ttl' => env('JWT_REFRESH_TTL', 20160), // in minutes
据我了解:token 的有效期为 1 小时,可在 2 周内刷新
What i understant : the token's live is 1hour and can be refreshed within 2 weeks
但 3 小时后,如果我尝试查询某些内容,它会显示令牌已过期".
But after 3hours, if i try to query something, it says "token expired".
这个系统是否意味着,用户必须在每个小时内更新/刷新他的令牌,但限制为 2 周?没看懂.
Does this system mean, a user must get his token updated / refreshed within every hour but with a limit of 2 weeks ? I don't get it.
用户如何使用这种系统持续登录?第一个小时后刷新令牌有什么用处,虽然还不到 2 周,但我无法获得新令牌?
How can a user persist login with this kind of system ? How is the refresh Token useful when after the first hour, though it hasn't been 2 weeks yet, i can't get a fresh token ?
谢谢
更新:代码
配置/jwt.php
'ttl' => 2, // 2 minutes
'refresh_ttl' => 5, // 5 minutes
路由/api.php
Route::post('/login', 'AuthController@login');
Route::get('/test', 'AuthController@test')->middleware('jwt.auth', 'jwt.refresh');
Http/Controllers/AuthController
Http/Controllers/AuthController
namespace AppHttpControllers;
use IlluminateHttpRequest;
use JWTAuth;
use TymonJWTAuthExceptionsJWTException;
class AuthController extends Controller
{
public function test()
{
return response()->json(['coucou' => 1]);
}
public function login(Request $request)
{
// grab credentials from the request
$credentials = $request->only('email', 'password');
try {
// attempt to verify the credentials and create a token for the user
if (! $token = JWTAuth::attempt($credentials)) {
return response()->json(['error' => 'invalid_credentials'], 401);
}
} catch (JWTException $e) {
// something went wrong whilst attempting to encode the token
return response()->json(['error' => 'could_not_create_token'], 500);
}
// all good so return the token
return response()->json(compact('token'));
}
}
这就是流程:
请求到/login/login的响应 > {token: xxxxxxx}
request to /login with {username: xxx, password: xxx} response of /login > {token: xxxxxxx}
请求 /test/test的response > HEADER中带有NEW TOKEN的良好json响应
request to /test straight after (10 secs) with Bearer xxxxxx response of /test > the good json response with NEW TOKEN in HEADER
请求到 /test(所以现在已经过去了 3 分钟 10 秒,小于 5 分钟的刷新限制)/test的响应 >令牌过期
request to /test after 3 minutes (so 3mins 10 secs have past now, less than the 5min of refresh limit) response of /test > token expired
我不明白.
推荐答案
访问令牌过期后,您可以使用刷新令牌获取新的访问令牌,而无需再次要求用户输入用户名和密码.只有刷新令牌过期后,用户才需要重新登录.
After the access token is expired you can use the refresh token to get a new access token without asking the user to input his username and password again. Only after the refresh token is expired, the user needs to login again.
但 3 小时后,如果我尝试查询某些内容,它会显示令牌已过期".
But after 3hours, if i try to query something, it says "token expired".
那是因为访问令牌已过期.
that's because the access token is expired.
这个系统是否意味着,用户必须在每个小时内更新/刷新他的令牌,但限制为 2 周?没看懂.
Does this system mean, a user must get his token updated / refreshed within every hour but with a limit of 2 weeks ? I don't get it.
是的.您将刷新令牌保留在客户端系统中,并在访问令牌过期时使用它来请求新的访问令牌.
yes. You keep the refresh token in your client system and use it to request a new access token when the access token is expired.
相关文章