Refreshing a JWT
Toddappleton (Talk | contribs) |
Toddappleton (Talk | contribs) |
||
| Line 12: | Line 12: | ||
Your user authenticates at 09:00 and receives a JWT. This token is valid until 10:00. Between 10:00 and 15:00 it can be refreshed as many times as you like. When the token is refreshed the timers are reset. For example if you refresh at 13:00 then the token is valid until 14:00, and can be refreshed until 19:00. | Your user authenticates at 09:00 and receives a JWT. This token is valid until 10:00. Between 10:00 and 15:00 it can be refreshed as many times as you like. When the token is refreshed the timers are reset. For example if you refresh at 13:00 then the token is valid until 14:00, and can be refreshed until 19:00. | ||
| − | === | + | === Refreshing JWT for an admin user === |
| − | + | You can pass the current expired (but still refreshable) session token as a query parameter or a header. For this example assume your session token is abc.123.efg. | |
| − | + | Query Parameter | |
| − | + | <pre>PUT https://foo.com/api/v2/system/admin/session?session_token=abc.123.efg</pre> | |
| − | + | ||
| − | <pre>PUT https:// | + | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
-- OR -- | -- OR -- | ||
| − | |||
| − | |||
Request header | Request header | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | <pre>PUT https://foo.com/api/v2/system/admin/session | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
X-DreamFactory-Session-Token: abc.123.efg | X-DreamFactory-Session-Token: abc.123.efg | ||
| − | |||
</pre> | </pre> | ||
| − | |||
| + | === Refreshing JWT for a non-admin user === | ||
| − | + | You can pass the current expired (but still refreshable) session token as a query parameter or a header. For this example assume your session token is abc.123.efg. | |
| − | + | ||
| − | + | Query Parameter | |
| − | |||
<pre>PUT https://foo.com/api/v2/user/session?session_token=abc.123.efg</pre> | <pre>PUT https://foo.com/api/v2/user/session?session_token=abc.123.efg</pre> | ||
| − | + | -- OR -- | |
| + | Request header | ||
| − | + | <pre>PUT https://foo.com/api/v2/system/admin/session | |
| − | |||
| − | |||
| − | |||
X-DreamFactory-Session-Token: abc.123.efg | X-DreamFactory-Session-Token: abc.123.efg | ||
| − | |||
</pre> | </pre> | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 18:13, 30 June 2016
DreamFactory uses JSON Web Tokens (JWT) to maintain user session on the server side in a stateless manner. One of the features of JWT is the ability to refresh the token without re-authenticating as long as the JWT (token) is within the allowed refresh time-frame since it was created. There are two time-to-live (TTL) values that you can configure for JWT in the .env file.
- DF_JWT_TTL
- Expiration TTL. This the time (in minutes) until the token expires. After it expires it can be refreshed until DF_JWT_REFRESH_TTL.
- DF_JWT_REFRESH_TTL
- Refresh TTL. This the time (in minutes) in which you can refresh the token. Between DF_JWT_TTL and DF_JWT_REFRESH_TTL the token can be refreshed as many times as you want without reauthenticating. After DF_JWT_REFRESH_TTL you must log in again.
For example, let's say your expiration TTL (DF_JWT_TTL) is 60 (1 hour) and your refresh TTL (DF_JWT_REFRESH_TTL) is 360 (6 hours). Your user authenticates at 09:00 and receives a JWT. This token is valid until 10:00. Between 10:00 and 15:00 it can be refreshed as many times as you like. When the token is refreshed the timers are reset. For example if you refresh at 13:00 then the token is valid until 14:00, and can be refreshed until 19:00.
Refreshing JWT for an admin user
You can pass the current expired (but still refreshable) session token as a query parameter or a header. For this example assume your session token is abc.123.efg.
Query Parameter
PUT https://foo.com/api/v2/system/admin/session?session_token=abc.123.efg
-- OR --
Request header
PUT https://foo.com/api/v2/system/admin/session X-DreamFactory-Session-Token: abc.123.efg
Refreshing JWT for a non-admin user
You can pass the current expired (but still refreshable) session token as a query parameter or a header. For this example assume your session token is abc.123.efg.
Query Parameter
PUT https://foo.com/api/v2/user/session?session_token=abc.123.efg
-- OR --
Request header
PUT https://foo.com/api/v2/system/admin/session X-DreamFactory-Session-Token: abc.123.efg
