Just a quick question and I haven't been able to find this answered anywhere.
If I have a user with a Refresh Token with scope x and I need to add scope y, will they be issued a new refresh token or do I keep their existing refresh token.
My expectation is that no new Refresh Token is generated, it is the access token which will have the new scope and I use the existing Refresh Token to get the new access token on the server.
Is my understanding correct here?
Related
I'm kind of new to using google-oauth using passport. I've been trying to understand how it works but what i mostly don't understand is, where the access token and refresh token used in the googleStrategy?
Can we use the refresh token and the access tokens to implement the access token logic?
ex)
refresh token: A
acess Token : B
user acquistion : A, B
If B expires, use A to reissue B
So if the attacker steals A, doesn't he get B?
According to the rfc official documentation, I heard that the client has A and B, but I don't know if that's true.
I don't understand the mechanism of using the correct refresh token.
How should I shape the implementation direction?
I logged in and finished issuing refresh tokens and access tokens.
main question : When accessing a protected page, when the access token expires and there is a refresh token, I don't know how to use it. I don't know if it's true that the problem of being stolen arises.
In order to get the access token and refresh token, most of the time you're using your username and password. the idea of using tokens is to use as last as possible in your credentials on transit to avoid credentials stolen.
the different in this two token in the ability to revoke the token, while in access token you're not able to revoke the token (if the token steals the attacker can do anything), as the refresh token (a.k.a - your session) can be revoked, to if this token stolen you can revoke it and no new access token will be generate.
best practice is to generate short expiration for access token (for the case it will be steals), long period for refresh token - in order not use your credentials a lot.
I am facing a problem in a JWT scenario. When a user logs into the system through a web app, I generate a JWT access token (JWT auth) and a custom refresh token and save the refresh token in DB for later verification. But the problem is that when the same user logs in through the mobile app, it replaces the new refresh token in DB which invalidates the previous refresh token stored in the web's local storage.
I want to know how to deal with this problem. Do I need to create a separate table in DB for user refresh tokens and check them out or is there another better approach?
The best approach is to save more than one refresh token per user in a separate table with a foreign key to the user. That way you can have many refresh tokens associated with a user (and also other information about each refresh token, such as an expiry date) that can also help when implementing revocation (you'll have more information to present the user when choosing which token to revoke).
I issue an access token along with a refresh token upon successful login. They are both saved in same site cookies in the browser. A custom middleware will put the token in Authorization header before the authentication process. This middleware will also check if the access token is expired, if it is it will try the refresh token, if validated it will save two new cookies(the new refresh token and new access token) and pass the new generated access token with the current request.
Is this how we are supposed to implement refresh tokens? If I want to blacklist a specific refresh token, should i save all refresh tokens in the database?
string auth = httpContext.Request.Cookies["AuthToken"];
if(string.IsNullOrEmpty(auth))
{
httpContext.Request.Headers.Add("Authorization", $"AuthorizationCookieNotFound");
return _next(httpContext); //That token wont be accepted i just
// put it there for the sake of demonstration
}
httpContext.Request.Headers.Add("Authorization", $"Bearer {auth}");
return _next(httpContext);
You have to be very careful while storing refresh tokens and they must be kept at some secret place otherwise you know the consequences.
I assume you are using "Aurhorization Code flow" here. So it's a good idea to store the refresh tokens in the db against the username and you can add an extra column e.g "IsRevoked" for status purpose and then you can blacklist/whitelist the tokens basked on the username and isrevoked status.
See this link about storing tokens.
I'm having an identityServer with some clients and it works great. My problem is, when one of the admins changes the roles of a user, the clients need to sign up and sign in to get the new claims and roles.
My question is, is there is a away to let the roles get updated automatically after changing the roles, without getting signed out and in?
for any help i would be very thankful :)
You can set this flag to true in the client definition to reload the claims inside the access token when you refresh them
UpdateAccessTokenClaimsOnRefresh
Gets or sets a value indicating whether the access token (and its claims) should be updated on a refresh token request.
see https://docs.duendesoftware.com/identityserver/v5/reference/models/client/
For refresh tokens, I add some pictures from my training class that might give a better idea about refresh tokens (you ask for them using the offline_Access scope)
When you ask for that scope and give consent, then you will get an additional "refresh token"
And using the refresh token you can then ask for new access tokens.
The picture (Taken from my training class) shows how the sliding refresh token works:
You do ask for a new token (using the refresh token) when the access token is about to expire. The lifetime of the access token is shorter than the refresh token.
You either do that manually or you use some library like IdentityModel.AspNetCore to do it for you.