I have an IBM RPT script that has a loop inside, however, after 15 minutes, the jwt token expires so the script cannot complete the target iteration of the loop. Is there any way to refresh the token without re-logging in?
Related
Tokens are valid for 30 days from creation or last use, so that the 30 day expiration automatically refreshes with each API call. Tokens that aren’t used for 30 days expire.
Is there an api that basically doesn’t return anything but acts as a kind of dummy call to keep from token being expired when not used for more than 30days.
Basically this is when the test sites which uses token if not used for a longer period expires.
I am aware that refresh tokens is a way to get around token Expiration but rather than getting refresh token ,I just need to keep making a call for the token be to active.
So its typically recommend that we have a script hit one of the basic endpoints to keep on calling after every few days to keep the token from expiration.
Here's a response from okta forum
https://devforum.okta.com/t/delay-skip-token-expiration/22026?u=farhin
I am testing an application hosted in gcloud, to execute the test using jmeter I require OAuth token for respective User credentials. I am able to generate the token for one credentials, however I have not been able to find a way to generate them for more than one users.
If anyone has faced such problem or has any glimpse please let me know.
Note:
I need a fresh token with every iteration since token expires in every 60 mins
I am able to generate token manually to run the test
I have tried auth/header manager for the process
I have tried console auth code generation code as well
Above all generate auth code for a specific credential, wherein I have to keep the application active.
So you want to apply load to app backend using authenticated users.
If so, why don't you use
CSV File to store your test credentials
Use JMeter's CSV Config to read those credentials
once only controller for authentication, extract access_token and refresh_token
Use tokens to make calls to your backend
If you need to run loadtest / soak test for longer than one hour you can use if controller to verify the token validity and renew the token if necessary.
Hope this helps.
If you need to refresh the token each 60 minutes it makes sense to create a separate Thread Group which will be executing a token refresh request each 60 minutes.
The token can be passed to the main Thread Group using __setProperty() function, you can make the token value thread-specific by combining it with __threadNum() function like:
In "token" thread group:
${__setProperty(token_${__threadNum},${token},)}
In "main" thread group you can read the value using __P() function:
${__P(token_${__threadNum},)}
Demo:
More information: Knit One Pearl Two: How to Use Variables in Different Thread Groups
I want to disable the generated JWT token when the user logs out from the application and this needs to be done in back-end code. How can I disable the JSON Web Token (JWT) using the authentication server (SpringBoot)
Generally speaking, with JWTs you have an access token with a short duration (like 15 minutes) and a longer refresh token (30 days). You should store the refresh tokens that you've given out in a table and when the user logs out, flag the token as revoked and then when you give a new access token out, verify that the refresh token hasn't been revoked.
I have a Web API which is issuing Bearer Token after successful login check.
And API is set with Token Expiration time as 1 day and its working fine.
What I want is to expire a that token before its scheduled time (like 1 hour) if user sends a log out request, so that token won't work after that.
Is it possible?
As per my point of view, there is no need to expire generated token manually. Though you want to do so, you need to update(refresh) token expire time to the current request time, make sense?
But in that case, you will need to create a new token every time even if user logout and login before expiration time.
Because tokens are stored on the client and not on the server, You can't manually invalid token.
I had similar problem once, in this question
Implemented Django REST and authentication using JWT.
For JWT token we have to refresh it before it expire.
After expired JWT wont give new token.
For my mobile device I need to refresh the token every 10 mins (JWT_EXPIRATION_DELTA).
and if user is not active for more than 10 minutes, then I need to ask to login.
Is there any way that I can refresh the token even after JWT token expired. (we can limit the time to refresh as 2 day)
Whats the best way to handle this behavior in Mobile.
Thanks.
Refreshing tokens in django-rest-framework-jwt
The django-rest-framework-jwt (v. 1.11.0) does not support "Refresh Tokens" as described for example here. It only supports refreshing non-expired tokens; It makes easy to implement a sliding expiration window with width of JWT_EXPIRATION_DELTA. For example, with settings
'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=300),
'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),
user cannot be inactive for more than five minutes in order to stay logged in (docs).
Real Refresh Tokens, please?
It is possible to implement the "Refresh Tokens", which are very long lived ("never expiring") tokens, stored in a database, just like in conventional "HTTP Sessions & SessionIDs". This is actually already been implemented for the django-rest-framework-jwt in django-rest-framework-jwt-refresh-token. Another possibility is to use django-rest-framework-simplejwt which also implements the JWT with Access and Refresh Tokens (full example at Medium).
But.. why?
Compared to using only Access Token JWT's, using Refresh Tokens makes possible to revoke access after the Access Token is expired. Refesh Tokens make it possible to have very long ("lifetime of a mobile device") lasting tokens. One may ask why shouldn't you just stick with sessions (sessionid in a Cookie, and session data in database table), if you are creating collection of Refresh Tokens in a database, and accessing that. Using an Access token with expiration time of one hour will mean that database must be accessed once per hour (instead once per PUT/POST request when using "traditional" sessions). In addition, you gain all the usual benefits of JWT tokens (ease of use in microservice network, for example).
You can use refresh tokens, as defined in Oauth2.0
Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires,
After a successful login, issue a refresh and an access token. While a access token expires shortly, a refresh token is long lived. Store it securely, and use it to issue new access tokens when the current one expires