Hi all,
I am using Guardian for authentication and able to generate jwt token during login, however this token seems not expiring at all. I am able to access APIs with the token generated way long back (almost few weeks)
- How long is the token valid?
- Is there a way configure this?
- How do we renew the token if it expires?
- Also, old tokens seem working even if I stop and restart phx.server. Are the old token not get invalid upon restarting phx.server? If these tokens are generated by phx.server, How the tokens remain valid beyond the life cycle of the phx.server?
Appreciate any help/clarification in this regard.
Thanks,
Rajasekhar.
How long is the token valid?
From guardian/token/jwt.ex:
@default_ttl {4, :weeks}
Is there a way configure this?
Yes, for example:
config :xxx, XXXWeb.Guardian,
issuer: "xxx",
secret_key: "XXX",
token_ttl: %{
"magic" => {30, :minutes},
"access" => {30, :days}
}
How do we renew the token if it expires?
I don’t think you can renew after it expires. You can renew before it expires.
Also, old tokens seem working even if I stop and restart phx.server. Are the old token not get invalid upon restarting phx.server? If these tokens are generated by phx.server, How the tokens remain valid beyond the life cycle of the phx.server?
Token life is only governed by ttl. It is a piece of encrypted text that have everything contained; the server does not hold anything.
2 Likes
Thanks derek-zhou, this is useful and informative.
- I mean, how do we renew tokens(before expiry)? Is this done automatically or how is this handled/implemented at the backend? And how web/mobile clients should get the renewed tokens?
Thanks,
Rajasekhar.
It is not automatic. The doc is here:
https://hexdocs.pm/guardian/Guardian.html#refresh/3
I have not done this myself so I cannot give you a example, but it shouldn’t be hard.
You use refresh token to renew token without asking for credentials again.
