JWT Token is generated in our application and using the same token within the expiration time I can call my API from postman also. I need to restrict that , so how can we identify if the API call with JWT token is coming from Postman or from browser and how to authenticate it in .net core ?
Related
I'm using .NET 6 with HttpOnly cookie-based JWT authentication in my WebAPI, and I'm now implementing token refresh.
I store the JWT and a Refresh Token in cookies, e.g.:
X-Access-Token: eyJhbGciO...
X-Refresh-Token: d8085ec8-d0bc-4e5c-b6b6-cd76146c419f
Most flows I've found for token refresh look like this, with the client calling the /refresh endpoint to get a new JWT:
client sends request to server
server rejects request with a 401 Unauthorized
client requests new JWT (expired JWT and Refresh Token automatically sent to server in cookie)
server validates cookie Refresh Token, generates new JWT and Refresh Token, assigns to cookies
client sends original request to server, with the new JWT and Refresh Token in the cookie
My question is:
When the initial request with the expired JWT is received by the server, since the server already has the refresh token (sent in the X-Refresh-Token cookie), can't the server issue a new JWT and Refresh Token at that time and successfully complete the request? This completely eliminates the need for a separate request and response to refresh the tokens. This is the flow:
client sends request to server
JWT is expired, but Refresh Token is valid
server creates new JWT and Refresh Token, assigns to cookies
server successfully completes the request
Is there a vulnerability or security risk implementing the refresh this way? I cannot think of one, but I could not find any examples with this flow.
Thanks!
Why are you using JWT access tokens? If the server could respond with an updated access token by looking at the refresh token, then why wouldn't the server just look at refresh tokens every time, and then the JWT access tokens aren't needed?
The point of using JWTs, and access tokens in general, is that it allows stateless authentication with services that have no access to the refresh token store. Usually, you will have an authentication service, it stores the refresh tokens, and calls to /refresh get routed to it, and it will validate the refresh token, and issue the access token. Then, calls to other services are able to validate the access token, without needing to make any calls on the authentication service. So, the reason why they don't just reply with a new access token when authentication fails is because those services are incapable of checking the refresh token, they don't have access to the refresh token store, only the authentication service does.
If however your application is one big monolith, where every endpoint is hosted by the same server and therefore is capable of checking refresh tokens and issuing access tokens, then there is absolutely no reason for you to be using access tokens or JWTs in general. You should just use refresh tokens, which, in this case, would be better called a session token.
I try to create a postman collection for my backend service which uses Azure B2C Authentication.
Within my Collection I added Authentication, which works and I can authenticate within my Chrome Browser:
Once I am authenticated and redirected back to Postman it says that an access_token can not be found. I can see that it is in id_token:
Now I created also a Request with Authentication Type oAuth 2.0 where I could select Available Token. But as the token is not within access_token it does not autofill the token. Is there any way to tell Postman that i want to use id_token as access_token within my requests in the collection?
Thanks for your help and feedback
As you saved your token with the name as Azure AD B2C Authentication, for your requests, you can select the Azure AD B2C Authentication from your available tokens.
This will auto-fill the token
I created the token with name as access token
Now for my request, I selected the access token from the available tokens under Access Token
Then the token is auto-filled as below
In this way, you can use the Access Token in collections in postman
I have two projects, one is the API, the other one is the Client to consume the API. Both are .net core 3.1. The API project has been developed inspired by this post:
https://jasonwatmore.com/post/2021/06/15/net-5-api-jwt-authentication-with-refresh-tokens#users-controller-cs
and it has JWT Authentication with refresh token and some methods with Authorize attribute.
My problems starts in the Client project. The API projects emits access token and the client should use it accessing the protected API.
I can authenticated in the API, but when the client receives token (access token and refresh token), it store it in authentication cookie and in the refresh token cookie.
My doubts are:
Is this approach correct?
how can i manage that the access token expires and use the refresh token to get a new one? Do cookies need to be regenerated?
In future development i will add Facebook auth and client auth.
If is needed more details or some implementation let me know.
Thanks in advance.
I'm auditing an API whose client is a mobile application using the OAuth2 workflow but I'm missing something. I have a first endpoint of the /token.oauth2 API which allows me with credentials to get an access token needed to call other endpoints of the API. So far OK but on top of that I have an "x-api-key" which is transmitted along with the access token and if both the API key and the access token are not present, the server sends me a HTTP 401 response.
I can't find any mention of a connection flow using both an "x-api-key" and an access token in the OAuth2 standard. When do you think?
I am looking for an easy way to add bearer tokens to PostMan. I have imported my API into PostMan from a swagger definition, and am wondering if authorization can be added automatically to all requests in some easy way, such that I do not have to change the Authorization header for each endpoint whenever the token changes.
I am currently requesting a token at /token for my API by sending an x-www-form-urlencoded request containing the parameters username, password and grant_type with a password value.
The returned access_token is then appended to the Authorization header in the format "Bearer token-received-from-token-endpoint" for each request to the API.
The backend is implemented with AspNet Identity Framework and AspNet Web API 2.
Good approach here is chaining request
When you get a token, assign it to an environment variable and use that variable in your subsequent requests.
This way you will have a fresh token every time and your other requests can use that on runtime