At the moment I am using JWT authentication for my django REST API.
But from the JWT library I can't refresh the token after expire. (5 minutes) https://github.com/GetBlimp/django-rest-framework-jwt
So I need to integrate the OAuth 2.0 for the refresh token and JWT token for access token.
How can I integrate JWT + OAuth 2.0 for my REST Framework. or any samples ?
EX: https://github.com/GetBlimp/django-rest-framework-jwt plus https://django-oauth-toolkit.readthedocs.io/en/latest/#
The route that we've gone is to increase the token expiry time (lets say to 36 hours), and then when a certain threshold is reached, (like 12 hours before the token expires), request a new token from the server.
Why 36 and 12? Totally hypothetical here, but a user might visit a site once every 1.5 days, and a 12 hour window for refreshing leaves time for them to have a life outside of our website (which sounds crazy to me, but that's another story). Choose the hours that seem to fit the behaviors of your users. Try to find a time when users are likely to come back to your site and make an educated decision on a refresh window. Of course, JWT has a refreshable time limit as well, which you might have seen in some applications that say "Sign me in for the next 30 days," after which the user has to reauthenticate.
Security wise? After reading a bunch of answers from SO, it seems that having longer expiry periods does not make your JWTs more vulnerable. If you're paranoid, you can blacklist the JWTs that are old (but still have time remaining), but going over HTTPS should be sufficient for most cases.
This is my suggestions:
Step 1: You need to add a table called BlackList (this table will store all tokens are expired after 5 mins),
Step 2: Write a script to set the expiration time for any tokens after 5 mins, and put that token in BlackList table.
Step 3: Then you need to override the authentication method for checking the token in table BlackList first; create a new once, or deny permission ... then
