Django Refresh Token Rotation and User Page Refresh

Question

I'm using Django simple JWT to implement user authentication, I have done few adjustments so the access token and refresh token are sent as http-only cookies and everything works well

On the frontend I have implemented Persistent Login that would keep the user logged in when they refresh the page or close the browser etc.

But since I have enabled these settings:

"ROTATE_REFRESH_TOKENS": True,
"BLACKLIST_AFTER_ROTATION": True,

If the user keeps refreshing the page multiple times in a very short time, it might occur that a token is blacklisted before the user receives the new refresh token

is there a way to fix that? One possible fix yet I'm not sure of its reliability is disabling the automatic blacklisting and waiting for the frontend to send a request upon receiving the new refresh token, the request containing the old refresh token in its body like this

@api_view(['POST'])
def blacklist_token(request):
    refreshToken = request.data.get("refresh")
    print(refreshToken)
    if refreshToken:
        token = tokens.RefreshToken(refreshToken)
        token.blacklist()
    return Response(status=status.HTTP_200_OK)

PS: Using React.js on the frontend

Answer 1

Refreshing a page should not require a token refresh. Instead the backend should receive and use the existing access token (from the HTTP only cookie).

When the access token expires, the backend should return a 401 unauthorized response to the frontend. The frontend can then perform a synchronized token refresh.

This copes reliably with multiple views getting data concurrently. If only a single view gets data at a time, it is safe to initiate the token refresh server side instead.

Eventually, the refresh token will also expire. In OAuth 2.0, the authorization server returns an invalid_grant error code in this case. The frontend then redirects the user to authenticate again.

I would recommend rehearsing these expiry events, since that's a great way to ensure a reliable app, where the user never experiences unnecessary errors.

Answer 2

I don't know if I got your question right, but I think that throttling can be very helpful in this situation. It's very similar to permissions and it's easy to setup.

And I know you didn't ask for this, but maybe it's not the best practice to save the access token in a cookie, like OWASP says here.

Answer 3

As I understand, I got your problem.

What happens : -

With "BLACKLIST_AFTER_ROTATION": True

Old tokens get blacklisted and new one is created for each request. So, when you refresh fast in a short time, you request same page multiple times before you receive new token.

So, upon the first request, the old token is blacklisted. And, if you attempt to request again using the old key(blacklisted), your access is blocked.

Solutions :-

1)

set

"BLACKLIST_AFTER_ROTATION": False 

And forget about it. So you can battle this rare case.

2)

"BLACKLIST_AFTER_ROTATION": True

And Blacklist old keys with a delay. Like after 60 seconds after. Like by adding them to a queue.

3)

As you suggested. Using the

@api_view(['POST'])
def blacklist_token(request):
    refreshToken = request.data.get("refresh")
    print(refreshToken)
    if refreshToken:
        token = tokens.RefreshToken(refreshToken)
        token.blacklist()
    return Response(status=status.HTTP_200_OK)

your code.