Access token never expire

[atf98]

I'm doing this project where I use a JWT as auth for the user; however, the access token never expires even thou it is equal to 1min in the settings.py, but when I issue a new access token within the minute, it works, but after a minute it shouldn't work, and the view should return a 403 code, but this is not what happens, and the view returns the data even after one or two days or the expiration time for the token.

I did the IsAuthenticated permission and checked the token on the jwt.io site for the expiration time. Also, I used TokenVerifyView to check on the token; within the minute, it returned an empty dict, and after the minute, it returned the status code I wanted 401.

First, it happened on a project I customized the view for the generator of the token, so I decided to create a new one from scratch and use the doc code only, even do it on different System (my laptop and PC), and it's the same, the access token never expired

settings.py

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated', 
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    ],
}

SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(minutes=1),
    'REFRESH_TOKEN_LIFETIME': timedelta(days=1),
    'ROTATE_REFRESH_TOKENS': False,
    'BLACKLIST_AFTER_ROTATION': False,
    'UPDATE_LAST_LOGIN': False,

    'ALGORITHM': 'HS256',
    'SIGNING_KEY': SECRET_KEY,
    'VERIFYING_KEY': None,
    'AUDIENCE': None,
    'ISSUER': None,
    'JWK_URL': None,
    'LEEWAY': 0,

    'AUTH_HEADER_TYPES': ('Bearer',),
    'AUTH_HEADER_NAME': 'HTTP_AUTHORIZATION',
    'USER_ID_FIELD': 'id',
    'USER_ID_CLAIM': 'user_id',
    'USER_AUTHENTICATION_RULE': 'rest_framework_simplejwt.authentication.default_user_authentication_rule',

    'AUTH_TOKEN_CLASSES': ('rest_framework_simplejwt.tokens.AccessToken',),
    'TOKEN_TYPE_CLAIM': 'token_type',
    'TOKEN_USER_CLASS': 'rest_framework_simplejwt.models.TokenUser',

    'JTI_CLAIM': 'jti',

    'SLIDING_TOKEN_REFRESH_EXP_CLAIM': 'refresh_exp',
    'SLIDING_TOKEN_LIFETIME': timedelta(minutes=1),
    'SLIDING_TOKEN_REFRESH_LIFETIME': timedelta(days=1),
}

views.py

class UserViewSet(viewsets.ModelViewSet):
    permission_classes = [permissions.IsAuthenticated,]
    queryset = User.objects.all()
    serializer_class = UserSerializer

[auvipy]

OK thanks for opening the discussion, will come back to you next week for looking into this properly

[InamAli123]

I am facing the same issue

[jerinpetergeorge]

It seems the issue has been fixed after upgrading the djangorestframework-simplejwt to 5.2.2 (see this SO post). But I couldn't reproduce the issue with my setup - see this repo