For a web application that doesn't reload the page with in 3600 seconds, whats the best way to keep the session alive with google plus?
If I use the html sign in button, is there a javascript call to refresh the session?
Do I need to refresh the token, but does that update the session?
Would it be best to call the server and refresh the token, but then I need to update the client cookie?
Should I reload the page, this would suck b/c its an application that shouldn't do that?
Can I ask the javascript to sign in again, but I get a popup blocker?
How do I deal with the 3600 token expiring in a web application that doesn't refresh the page?
<span id="signinButton">
<span class="g-signin" data-callback="signinCallback"
data-clientid="xxxxxx.apps.googleusercontent.com"
data-cookiepolicy="single_host_origin"
data-accesstype="offline"
data-approvalprompt="auto"
data-theme="dark"
data-requestvisibleactions="http://schemas.google.com/AddActivity"
data-scope="https://www.googleapis.com/auth/plus.login
https://www.googleapis.com/auth/plus.me
https://www.googleapis.com/auth/userinfo.email
email">
</span>
</span>
You can use the gapi.auth.authorize call of the JS Client library (which will be loaded with the Sign-in JS script), providing the same parameters you did in the Sign-in Button, and using 'immediate': true. Since the user already authenticated before, this will refresh the token automatically (if necessary).
Related
I have a test web app, with the Sign In with Google button + One Tap UX configured with a data-nonce :
<div
id="g_id_onload"
data-client_id="<%=google_client_id%>"
data-context="signin"
data-ux_mode="popup"
data-login_uri="<%=site_address%>/sign-in-with-google-callback"
data-nonce="<%=idTokenNonce%>"
data-itp_support="true"
></div>
<div
class="g_id_signin"
data-type="standard"
data-shape="rectangular"
data-theme="outline"
data-text="signin_with"
data-size="large"
data-logo_alignment="left"
></div>
On Chrome (and the other non-ITP browsers) both buttons work properly and I receive the ID token (JWT) that contains a claim nonce with the nonce that I specified when rendering the page.
On Safari (ITP) with "Prevent cross-site tracking" the regular button produces a id token that has the nonce. But if I login using the One Tap (upgraded One Tap UX on ITP browsers) I get a ID token but that JWT does not contain any nonce claim.
Is there anything I could do to get the nonce to work also for the "upgraded One Tap UX on ITP browsers"?
I am going to implement JWT authentication for several independent services.
There will be auth.example.com and service1.example.com, service2.example.com etc.
My assumptions:
JWT can be kept in cookie for ".example.com"
JWT expire time should be small (like 15 mins) because there is no reliable way to logout user with JWT token (revoke token).
Refresh tokens should be used to reissue JWT tokens
Refresh token cookies should be accessible only by auth.example.com for security reasons and because https://www.rfc-editor.org/rfc/rfc6749#section-1.5 says
"Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers."
Next, if I have a service - multi page application (i.e. not SPA), where some URLs are called "traditional" way, not via Ajax and render HTML
based on some server side logic, which, of course, include checking of user authorization.
then, say, there will be an action service1.example.com/user/showpage
if (user.logged_in) {
render_some_html(get_some_data(user.login))
}
else {
render_anonimous_uses_page()
}
Problem is:
If site user close all site tabs and, then after hour or so, go directly to page /user/showpage (or maybe he
suspend laptop and wake it up in an hour and go to that page).
What if by that time JWT token will expire. Then to refresh it by Refresh token we need to make Ajax call to auth.example.com (because Refresh
token is stored only in auth.example.com cookie) and this is just unaccessible in server side rendering (that pseudocode that I posted above, it's server side, and it's just impossible to make client ajax call in the middle of execution of server code. it's just not applicable here). This way user will be considered logged out
on this stage.
Redirect could be one solution.. but what if site should work for anonymous out users too, and anyway looking for something better.
This problem not exists for SPA application, because before every Ajax call to internal API, it can check JWT and make call to refresh JWT token.
And question is: is this true that JWT in general should not (cannot) be used in Multi-Page (traditional) applications because of this issue? or there is good way to workaround this? or this is not a problem at all (users don't close tabs too often, or they expect site to log them out or redirect etc)?
We have decided to switch from Hazelcast shared session to Stateless JWT authentication/authorization with OAuth2 and found out a problem that doesnt fit our infrastructure described below.
So we have multiple Self-contained systems (scs) that may be accessed by direct link i.e. mysite.com/scs1 and mysite.com/scs2.
Each scs has it's own UI and BackEnd, but "session" (implemented via Stateless JWT Authorization) has to be valid across multiple scs'es.
OAuth2 Authorizaion Server is a dedicated server (UAA).
In the OAuth2 terminology, each scs is a Resource Server.
Let's assume that user has logged into scs1 (via UAA) and got JWT with TTL=10 minutes and RefreshToken with TTL=30 minutes. Then he leaves that tab in browser for 15 minutes. JWT expires, but the tab still contains the previous page from scs1. And user clicks a link on that page that follows to mysite.com/scs3.
scs3 receives a request, checks JWT and finds out that it has expired. But we have a RefreshToken (still alive for 15 minutes) that may refresh JWT.
Is it possible to return a response from scs3 that would ask browser to go to UAA and silently refresh JWT ?
Maybe some kind of REDIRECT to /uaa/authorization with an ability to add RefreshToken Header?
We have finally found out how to deal with token refresh in our case.
JWT has TTL=10min
RefreshToken has TTL=30min
Javascript, embedded in each page of our site refreshes JWT each 8-9 minutes. So when User has an opened tab in his browser, the refresh procedure will happen seamlessly.
A corner case is when User:
Opens tab mysite.com/scs1
Logs in
Closes tab
Waits 15 minutes. JWT expires, RefreshToken is still alive.
Opens new tab and enters mysite.com/scs1 or scs2 etc.
At this point the BackEnd receives only JWT which is expired.
So BackEnd redirects User to a dedicated web-page /try-refresh?uri=mysite.com/scs1
try-refresh page contains ONLY javascript which tries to refresh token and in successful case redirects User back to address from uri parameter
I am trying to implement a login for my mobile app to my backend. I previously used to use a method that required hashing on mobile site and backend site. The password would be hashed saved on the mobile site and be included in the hash. If hashes on mobile side and backend side would be equal, the request would be valid.
However I wanted to add Facebook login to my login system so I kinda find out it was not gonna work the way I had built it before. I came to the conclusion that I probably have to change the entire method to token login.
What I have currently functioning is Facebook button on mobile side, this creates for me a Facebook userid and Facebook access token. I send both these values to my backend and use a Facebook graph call to retrieve the facebookid from the access token. if both the Facebook userids are equal. I either register the user or log him in.
This is where I get stuck. I now want to generate my own token to send back to the mobile side, because I have custom login (email+password) (Facebook is just an option). So I think using my own auth token for both ways is the best.
I have a few questions about this token:
What should the token exist of?
Do I need to save this token on the mobile (not hashed?)
What is the best way to built in expiring time and automatic refresh token
What I can't really understand is the security of this authentication method. Sending a token over a request that gives you access to user information is just as bad as a plain password I think? Is SSL connection simply enough?
I understand these are a lot of question in one but I hope someone can give me a clear explanation.
Thank you
You can try JWT (JSON web token), it's really simple. The idea its, when you do the login, the servers return you the JWT and you simply have to save it in your mobile app. Then you have to pass it as a header (assuming you are developing for Android):
request = new HttpGet();
request.addHeader("Authorization", "Bearer " + Global.loginData.jwt);
I have a grails application and I want to connect my user's account to their LinkedIn accounts.
So my steps are:
Have the user click on a button that redirects to:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=MY_API_KEY&scope=r_network&state=SOME_TEXT&redirect_uri=MY_REDIRECT_URI
Then LinkedIn redirects to the specified redirect_uri and I get the authorization code as a parameter in the response. With that code I do a post to:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=MY_AUTHORIZATION_CODE&redirect_uri=SAME_REDIREC_URI_AS_BEFORE&client_id=MY_API_KEY&client_secret=MY_API_SECRET
That works like charm! I get the Access Token and I save it in the User domain class together with the expiration date.
Now my issue comes when I want to have a piece of code with the logic to refresh the Access Token before it expires to avoid having the user clicking on the button every now and then. I know of applications where you link your account to LinkedIn and never have to refresh the token again.
In the documentation: http://developer.linkedin.com/documents/handling-errors-invalid-tokens you can find a section called Refreshing Access Tokens that says:
Refreshing an access token is very simple and can happen without an authorization dialog appearing for the user. In other words, it's a seamless process that doesn't affect your application's user experience.
Simply have your application go through the authorization flow in order to fetch a new access token with an additional 60 day life span.
So how can I follow the same process describe above if it starts with a click of the user in a button.
I have tried doing a GET using he HTTPClient class from groovy like follows:
new RESTClient(accessTokenRequestUrl, ContentType.URLENC)
where the accessTokenRequestUrl is the same used above in the button href. This should eventually call my redirect_uri where I use the authorization code to request the access token but it never gets to that point.
I have tried using the RESTClient add-on for Firefox and it works ok but it doesn't if the call is done from within the application.
Any thoughts?
Thanks in advance!
Cheers,
Juan
If you use the Linkedin JavaScript API, then the access token will be automatically refreshed without any user intervention. Make sure inside your initialization string you set authorize: true so that refresh is seamlessly done as follows:
<script type="text/javascript" src="http://platform.linkedin.com/in.js">
api_key: YOUR_KEY_HERE
authorize: true
</script>