I am new to JWT so apologies in advance.
I am using php-jwt library.
Headers
include_once("includes/jwt/BeforeValidException.php");
include_once("includes/jwt/ExpiredException.php");
include_once("includes/jwt/JWK.php");
include_once("includes/jwt/JWT.php");
include_once("includes/jwt/SignatureInvalidException.php");
header("Access-Control-Allow-Origin: *");
header("Access-Control-Request-Headers: GET,POST,OPTIONS,DELETE,PUT");
header('Access-Control-Allow-Headers: Authorization, Accept,Accept-Language,Content-Language,Content-Type');
I am generating token using the following:
$secret_key = "***";
$issuer_claim = "***";
$audience_claim = "***";
$issuedat_claim = time(); // issued at
$notbefore_claim = $issuedat_claim; //not useable before in seconds
$expire_claim = time() + (60*60); // expire time in seconds
$token = array(
"iss" => $issuer_claim,
"aud" => $audience_claim,
"iat" => $issuedat_claim,
"nbf" => $notbefore_claim,
"exp" => $expire_claim,
);
$jwt = JWT::encode($token, $secret_key);
However when I decode the generated token using tool on jwt.io, it shows that token will expire in 5 minutes.
{
"iss": "***",
"aud": "***",
"iat": 1600925201,
"nbf": 1600925201,
"exp": 1600925501
}
Can you please guide me how to increase the expiry time? Even though in the payload I have specified 60 minutes, but the token is valid for 5 minutes only.
Secondly, I wanted to know how can I keep token alive for the user who is active. For e.g. A user who remains inactive for 60 minutes, the token should expire. But a user who is using the website/web app should not be logged out because he might be in middle of something and sudden logout would break the flow. I have read about refresh token in this regard, and if you think that is the approach to go by, I would be grateful if you could share some tutorial on that because I haven't found any which could give good understanding on how to execute.
Thanks in advance.