JSON Web Tokens (JWTs) Refresh tokens

[Caleb Pineur]

All the articles and stack overflow answers I read about JWTs recommend the two token approach.
A short lived (5-10min) access token that is used to access protected resources and a longer lived refresh token
that is used to get more access tokens. I see that the https://github.com/GetBlimp/django-rest-framework-jwt package
is linked in the authentication docs, but this package does not support refresh tokens.

My question is how would one support a 'remember me' functionality (aka not have to sign in after not using the SPA
for just a few min) with Django Rest Framework?

As an aside, since JSON Web Tokens seem to be taking off, is there a chance DRF will natively support them in the future?

[yar...@sureapp.com]

Using JWT, what would be the reasoning behind refresh token at all or have any expiration?
JWT allows you to have no storage on server side for tokens. so there is no reason why a token would be invalidated/expire.

I like to look at a JWT as an id badge signed by the server. so there would be no reason to expire that because the authority that signs the badge is authenticated by its signature.

But, thats my opinion. am I missing a benefit that expiration gives?

[Tom Christie]

> As an aside, since JSON Web Tokens seem to be taking off, is there a chance DRF will natively support them in the future

Yes, I think that's reasonably likely, tho no firm decisions yet.

It's also possible that we could pull it under the banner of being an officially supported package, but without pulling it into the main repository (ie keeping it separately installable)