Access tokens and refresh tokens
- Access tokens have often an expiration time, Beacuse access tokens will expire we need a function to refresh it without asking the users to authenticate again.
- We create a refresh token and send that when the user authenticates along with access token.
- Refresh tokens are generally long live tokens, when the access tokens expire we can get the new access token by calling to a resource where we send both access and refresh tokens to get the new access token
- A refresh token is used to get the new access tokens only
- In Flask jwt extended package we have
create_refresh_token
function which can create a refresh token - In some cases even though the user is authenticated, to perform some actions the application expects the user to authenticate again (Changing profile pic etc), to handle this flask jwt token uses the freshness pattern. Refer Here
- Refer Here for the changes
User Logout Mechanism
- The way we can implement the logout function is blacklist.
- A blacklist is an access control mechansim (email, token, id etc).
- Now we will be implementing the black_list function on tokens so that if implements the user logout function.
- Lets add a database model for token black list and apply migrations
- Refer Here for the changes
- Refer Here for the implementation of black list functionality.