Why doesn't TokenAuthentication include a refresh token?

[realsuayip]

I'm researching on types of authentication, I see most of the token-based solutions include a refresh token. As far as I understand, refresh token helps increase security by reducing the attack surface, by giving access token a short lifetime (which is passed around all the time), and refresh token a long one.

So I'm a bit curious, is there a specific reason the authtoken module doesn't include a refresh token? Or am I missing something?

[hashlash]

From what I understand, DRF's TokenAuthentication is different from more popular token concepts such as OAuth token. Someone in #601 (comment) even said that the token is somewhat comparable to password. The issue isn't about refresh token, but it hinted at how the TokenAuthentication differs from other popular token mechanisms.

If you find this doesn't suit you, there are 3rd party packages available as alternatives.

DRF suggested if you need additional functionality outside the features already implemented as a 3rd party package:

Feature requests will often be closed with a recommendation that they be implemented outside of the core REST framework library. Keeping new feature requests implemented as third party libraries allows us to keep down the maintenance overhead of REST framework, so that the focus can be on continued stability, bugfixes, and great documentation.

[realsuayip]

Thanks for you comment. From the discussion also, it seems to be the case that current implementation of authtoken package is not preferred. Maybe deprecating it and defaulting to 3rd party packages would be better for DRF.