Separate `refresh_token`

[leon0399]

Subject of the issue

Refresh token should be different from access_token. It does not only provide security vulnerability, but also a lot of misunderstandments (tymondesigns/jwt-auth#1105, tymondesigns/jwt-auth#2149, tymondesigns/jwt-auth#2116 are one of MANY), event Tymon mentioned this is needed at some point (tymondesigns/jwt-auth#1105 (comment))

Changing this behaviour can be a breaking change, so this feature might be planned for some kind of 2.0 version

Expected behaviour

You have to use different token to refresh your access_token

Actual behaviour

You have to usesame token to authenticate your requests and refresh your existing access_token

[Messhias]

Let's put this on 2.x.

[dexcell]

+1 on this, feeling confused since usually i implement oauth based on the spec, then found out there is no dedicated refresh_token using jwt-auth lib

[Messhias]

+1 on this, feeling confused since usually i implement oauth based on the spec, then found out there is no dedicated refresh_token using jwt-auth lib

Ok, if no one gets this to start developing I'll try to get this on this weekend to start developing and open the PR for us.

@leon0399 if you already started working on this you can open the PR as a draft and we can help you as well too.

[mfn]

Would the target be 1.x or 2.x? I mean are we expecting (hard to say before coding, right? 😅) incompatible changes for old package transitions? 🤔

[leon0399]

Would the target be 1.x or 2.x? I mean are we expecting (hard to say before coding, right? 😅) incompatible changes for old package transitions? 🤔

Let's move discussion regarding future incompatible changes somewhere else. This change is definetely breaking (atleasr how I see it)

I've started new discussion

[Messhias]

As of now let's close it since there's no further discussion about it.

[lakuapik]

Hi @leon0399 @Messhias just asking, has this been brought to v2.x? I am looking for a documentation, thank you.

[ZejdCicak]

@lakuapik did you ever figure this out?

[lakuapik]

@ZejdCicak not best practice, but last time, i created my own refresh_token outside of generated access_token. Then on refresh, use the custom created refresh_token instead of access_token.

[ZejdCicak]

Pining once more @leon0399 @Messhias just to see if you can tell us what's the status with this, thank you!