Token refresh returns 401


#1

I’m a bit confused about refreshing session tokens. To refresh an admin’s token I am performing a PUT to https://hostname.com/api/v2/system/admin/session. I have attempted to do this both by adding “?session_token=mytoken” and by passing the “X-DreamFactory-Session-Token” header.

Both methods result in a 401 error telling me that my session token has expired and that I need to refresh it.

For now, I am getting around this by just re-logging in, but it would be nice to be able to refresh tokens. Any suggestions?


#2

Hi @jsolbrig,

A solution if you want forever sessions can be found in this wiki article http://wiki.dreamfactory.com/DreamFactory/Tutorials/Forever_sessions. Please correct me if I’m wrong, but I believe the issue you are running into is from following these instructions http://wiki.dreamfactory.com/DreamFactory/Tutorials/Refreshing_a_JWT? I will test this and get back with you.

Best,
Kevin McGahey


#3

Thanks, yes, I was following the instructions you link to. I’m trying to avoid forever sessions if possible, but may go that route.


#4

@jsolbrig,

This is how it is intended to be used by the author of the package we use: https://github.com/tymondesigns/jwt-auth/issues/150
https://github.com/tymondesigns/jwt-auth/issues/66.

Great question by the way! Our documentation on this is quite confusing on this topic, but I will do my best to explain how this works. So, if the DF_JWT_TTL is 1 minute and the DF_JWT_REFRESH_TTL is 2 minutes then you can refresh the token as many times as needed during the 1 minute period in turn continuing to refresh the token until the 2 minute timer is up. I would recommend extending the DF_JWT_REFRESH_TTL in the .env file to a longer time to refresh your tokens.

Please let me know if I need to explain further or if it is hard to follow.

Best,
Kevin McGahey


#5

@Kevin_Mcgahey

I think I see what I’m doing wrong. Thanks!

It was a dumb mistake on my part. I was attempting to refresh my token only after the first time I got a 401 error. Of course that didn’t work. The token was stale by that point, so I couldn’t access the API to refresh it.

I think something added to the docs to indicate that the token needs to be refreshed BEFORE it becomes stale might be helpful for people who aren’t thinking.